ESET researchers reveal Modus Operandi of the elusive InvisiMole group, including newly discovered connections to the Gamaredon group
In the persecution of the InvisiMole group, which we rediscovered and reported for the first time in 2018, we found a new campaign for top-class organizations in Eastern Europe. In investigating the attacks, we worked closely with the affected organizations to uncover the updated toolset and previously unknown details about InvisiMole's tactics, techniques and procedures (TTPs).
In this blog post, we summarize the results that were fully published in our white paper InvisiMole: The Hidden Part of History.
The InvisiMole Group is a threat actor that has been active at least since 2013. We have previously documented the two rear doors RC2CL and RC2FM, which are characterized by their extensive spy functions. However, we did not know how these back doors were deployed, distributed or installed on the system.
In this recent campaign, the InvisiMole group has reappeared with an updated toolset aimed at a small number of high-profile organizations in the military sector and diplomatic missions in Eastern Europe. According to our telemetry, the attack attempts lasted from late 2019 until the time of writing this report.
By investigating the attacks in collaboration with the organizations concerned, we were able to uncover the inside of the updated InvisiMole toolset.
We noticed that InvisiMole's arsenal will not be released until another threat group, Gamaredon, has already infiltrated the network of interest and possibly obtained administrative privileges. In this way, the InvisiMole group can develop creative options for operating under the radar.
For example, the attackers use long execution chains consisting of the combination of malicious shell code with legitimate tools and vulnerable executables. They use DNS tunneling for more stealthy C&C communication and place execution guardrails on the malicious components to hide the malware from security researchers.
During our investigation, we found that InvisiMole was delivered to the compromised systems by a .NET downloader that ESET products recognized as MSIL / Pterodo. This is the work of the Gamaredon group. Gamaredon is a threat actor that has been operating since at least 2013, is rapidly evolving, and makes little effort to stay under the radar. We have recently documented the latest Gamaredon components that were distributed through spearphishing emails and used to move as far as possible within the target's network while the machines were fingerprinted.
Our research now shows that Gamaredon is used to pave the way for a much more stealthy payload. According to our telemetry, a small number of Gamaredon targets are "updated" for the advanced InvisiMole malware, which is likely to be rated as particularly significant by the attackers.
As we describe in detail in the white paper, we consider Gamaredon and InvisiMole as two different groups with different TTPs and not as a single threat actor, despite the evidence of collaboration.
Dissemination and updating mechanisms
We document three ways that InvisiMole spreads in vulnerable networks:
Using the BlueKeep RDP Protocol Vulnerability (CVE-2019-0708)
Using the EternalBlue Vulnerability in the SMB Protocol (CVE-2017-0144)
Use trojanized documents and software installers created with harmless files stolen from the vulnerable organization
To create the trojanized files, InvisiMole first steals documents or software installers from the vulnerable organization and then creates an SFX archive that bundles the file with the InvisiMole installer. The original file is then replaced with the weapon version, while the name, symbol and metadata are retained. The attackers rely on users to release and execute these files.
This sideways motion technique is particularly powerful when the trojanized file is a software installer installed on a central server – a common method of deploying software in larger organizations. In this way, InvisiMole is organically distributed to many computers that use this server.
Regardless of the distribution method, the first InvisiMole component to be deployed on the newly compromised computers is always the InvisiMole TCP downloader – a simple addition to the toolset that downloads the next level of infiltration.
The second extension of the updated InvisiMole toolset, the DNS downloader, has the same functionality, but is designed for long-term, covert access to the computer. It uses a more hidden method of C&C communication that uses a technique called DNS tunneling (see Figure 2).
With DNS tunneling, the endangered client does not contact the C&C server directly. It only communicates with the harmless DNS servers with which the victim's computer would normally communicate and sends requests to resolve a domain to its IP address. The DNS server then contacts the name server responsible for the domain in the request, which is an attacker-controlled name server, and returns its response to the client.
The actual C&C communication is embedded in the DNS requests and responses, without this being known to the benign DNS server, which acts as an intermediary in the communication.
The most notable feature of the latest InvisiMole toolset is its long execution chains that provide the final payload – the updated RC2CM and RC2CL backdoors, as well as the new TCP and DNS downloaders.
We have reconstructed four execution chains that the attackers use in different situations, based on the operating system version of the victim's computer and whether they have been given administrative privileges on the system:
The Control Panel abuse chain uses a rare technique known from Vault 7 leaks and is used to achieve covert execution in the Control Panel context.
The SMInit exploit chain exploits a vulnerability in the legitimate Total Video Player software. It is used in cases where the attackers have not been able to obtain administrator rights for the system.
The Speedfan exploit chain exploits a local privilege escalation vulnerability speedfan.sys Driver to insert its code from kernel mode into a trusted process.
The Wdigest exploit chain is InvisiMole's flagship chain, the most elaborate chain used in the latest versions of Windows, in which the attackers have administrator privileges. It exploits a vulnerability in Windows wdigest.dll Library and then uses an improved ListPlanting technique to insert the code into a trusted process.
The vulnerable executables used in these chains are all introduced into the system by InvisiMole. The variation of this technique with a vulnerable driver was previously referred to by colleagues as Bring Your Own Vulnerable Driver. In the other cases, we called the technique Bring Your Own Vulnerable Software.
We document this tactic in detail in the Execution Chains section of our white paper.
Note the frequent use of legitimate tools and encryption per victim, which are shown in the overview of these four chains in Figure 3. It is the tactic of the InvisiMole operators to install only legitimate tools and to reserve the malicious user data for later phases.
InvisiMole uses a Windows function called Data Protection API (DPAPI) to place execution guidelines and to encrypt the user data individually for each victim.
the CryptProtectData API for data encryption
the CryptUnprotectData API for data decryption
This symmetric encryption scheme uses a key derived from the user's login secrets. Therefore, decryption must be carried out on the same computer on which the data was encrypted.
Figure 4 shows a fragment of a typical InvisiMol loader that is used CryptUnprotectData for decryption and then checks whether the decrypted blob starts with a characteristic magic InvisiMole four-byte value:
64 DA 11 CE for 64-bit user data
86 DA 11 CE for 32-bit user data
The DPAPI function, which is intended for the local storage of credentials such as Wi-Fi passwords or logon passwords in web browsers, is misused by InvisiMole to protect the user data from security researchers. Even if they find InvisiMoles components in telemetry or on malware-sharing platforms, they cannot decrypt them outside of the victim's computer.
Thanks to the direct collaboration with the organizations concerned, however, we were able to restore the user data and reconstruct four of the execution chains of InvisiMole, which are described in detail in the white paper.
When we first reported about InvisiMole in 2018, we highlighted the hidden functionality and the complex range of services. However, a large part of the picture was missing.
After discovering new activities in late 2019, we had the opportunity to take a close look under the bonnet of InvisiMole operations and put the hidden parts of the story together. While analyzing the group's updated toolset, we saw continuous development and significant improvements, with a particular focus on staying under the radar.
Our investigation also revealed an unprecedented collaboration between InvisiMole and the Gamaredon group, which used Gamaredon malware to infiltrate the target network and deliver the advanced InvisiMole malware to targets of particular interest.
After providing a detailed report on InvisiMole's TTPs, we will continue to monitor the group's malicious activities.
For ESET identification names and other compromise indicators for these campaigns, see the full white paper InvisiMole: The Hidden Part of History.
Thanks to ESET malware researchers Matthieu Faou, Ladislav Janko and Michal Poslušný for their work on this investigation.
MITER ATT & CK techniques
Note: For better readability, we have divided the RC2FM and RC2CL backdoors into their respective ATT and CK mapping tables due to their extensive functions. The first mapping relates to the supporting components of InvisiMole, which are used for delivery, lateral movement, execution chains and the downloading of additional user data.
ExecutionT1196Control Panel ItemsInvisiMoles Loader is masked as a CPL file and misuses Control Panel elements for execution.
T1106 Execution by APIInvisiMole was used ShellExecuteW and CreateProcessW APIs for executing files.
T1129 Execution via the module LoadInvisiMole implements a user-defined loader for its components (InvisiMole blobs).
T1203Exploitation for Client ExecutionInvisiMole has been classified as vulnerable Total video player Software and wdigest.dll Library and exploited their vulnerabilities in batch overflow and input validation to achieve hidden code execution.
T1085Rundll32InvisiMole was used rundll32.exe as part of its execution chain.
T1053Scheduled TaskInvisiMole used the Windows Task Scheduler as part of its execution chains.
T1035Service ExecutionInvisiMole has registered a Windows service as one of the ways to execute its malicious payload.
T1204User ExecutionInvisiMole was delivered as a trojanized version of software and documents, misleading names and symbols and relying on user execution.
PersistenceT1050New ServiceInvisiMole has registered a Windows service named clr_optimization_v2.0.51527_X86 To achieve endurance.
T1060Registry execution key / start folder InvisiMole has stored an LNK file in the start folder to achieve persistence.
T1053Scheduled TaskInvisiMole has scheduled tasks under names MSST and Microsoft Windows Autochk Scheduled To achieve endurance.
T1023Shortcut ModificationInvisiMole has stored an LNK file in the start folder in order to achieve persistence.
Privilege EscalationT1088Bypass user account ControlInvisiMole can bypass user account control to get elevated privileges.
T1068Exploitation for Privilege EscalationInvisiMole has exploited vulnerability CVE-2007-5633 in speedfan.sys Driver to get kernel mode permissions.
Defense EvasionT1140Deobfuscate / Decode Files or InformationInvisiMole decrypts strings using variations of XOR encryption. InvisiMole decodes its components with the CryptUnprotectData API and triple DES with two keys.
T1480Execution GuardrailsInvisiMole used the privacy API to encrypt its components on the victim's computer, avoid detection and ensure that the payload can only be decrypted (and then loaded) on a specific compromised computer.
T1143Hidden WindowInvisiMole ran legitimate tools in hidden windows and used them to run malicious InvisiMole components.
Removing the T1066 indicator from ToolsInvisiMole has been technically improved to avoid detection.
T1202Indirect Command ExecutionInvisiMole used the winapiexec tool to indirectly execute Windows API functions.
T1027Obfuscated Files or InformationInvisiMole has obfuscated strings and code to make analysis difficult and encrypted its components to prevent detection.
T1055Process InjectionInvisiMole has inserted its code into trusted processes using an improved ListPlanting technique and via the APC queue.
T1108Redundant AccessInvisiMole has deployed multiple backdoors on a single vulnerable computer.
T1085Rundll32InvisiMole was used rundll32.exe as part of its execution chain.
The T1063Security Software DiscoveryInvisiMole's DNS plug-in prevents a connection to the C&C server from being established when selected network sniffers are running.
T1099TimestompInvisiMole changed the timestamp of files it creates or changes.
T1036MasqueradingInvisiMole tried to disguise its droppers as legitimate software or documents and to hide itself by registering under an apparently legitimate service name.
DiscoveryT1046Network Service ScanningInvisiMole, through its portscan and BlueKeep components, has performed a network scan within the compromised network to look for open ports and hosts that are vulnerable to the BlueKeep vulnerability.
The T1518 software DiscoveryInvisiMole's DNS downloader attempts to discover selected network sniffer tools and pauses network traffic if it is determined to be running.
T1082 System Information The DiscoveryInvisiMole DNS downloader collects the computer name and serial number of the system volume.
T1124System Time DiscoveryInvisiMole can capture the timestamp from the victim's computer.
Lateral MovementT1210Exploitation of Remote ServicesInvisiMole exploited the vulnerabilities EternalBlue and BlueKeep for lateral movements.
T1080Taint Shared ContentInvisiMole has replaced legitimate software or documents in the compromised network with their trojanized versions in order to spread within the network.
Command and control T1043 Commonly used The PortInvisiMole downloader uses port 443 for C&C communication. The InvisiMole DNS plugin uses port 53 for C&C communication.
T1090Connection The TCP downloader from ProxyInvisiMole can use custom proxy servers for C&C communication.
T1024Custom Cryptographic ProtocolInvisiMoles TCP and DNS downloaders use a custom cryptographic protocol to encrypt network communication.
The DNS downloader from T1132Data EncodingInvisiMole uses a variation of the Base32 encoding to encode data in its requirements in the subdomain.
The T1008Fallback ChannelsInvisiMole TCP and DNS downloaders are configured with several C&C servers.
T1105Remote file CopyInvisiMole's TCP and DNS downloaders can download additional files to run on the compromised system.
T1071Standard Application Layer Protocol The InvisiMole DNS downloader uses the DNS protocol for C&C communication.
T1095Standard Non-Application Layer Protocol The InvisiMole TCP downloader uses the TCP protocol for C&C communication.
T1065 Occasionally used The PortInvisiMole TCP downloader uses port 1922 for C&C communication.
RC2CL back door
ExecutionT1059Command-Line InterfaceRC2CL backdoor can create a remote shell to execute commands.
T1106 Execution used by APIRC2CL backdoor CreateProcess and CreateProcessAsUser APIs for executing files.
Privileg EscalationT1134Access Token ManipulationRC2CL Backdoor can use CreateProcessAsUser API to start a new process in the context of another user or process.
T1088Bypass User Account ControlRC2CL backdoor can disable and bypass user account control to gain elevated privileges.
Defense EvasionT1090Connection The ProxyRC2CL backdoor can be configured as proxy relaying communication between other vulnerable computers and the C&C server.
T1140Deobfuscate / Decode Files or InformationRC2CL Backdoor decrypts strings using variations of XOR encryption.
T1089 Disabling Security Tools RC2CL backdoor can disable Windows Firewall.
T1107File DeletionRC2CL backdoor can delete dropped artifacts and various files if necessary after a delete command.
RC2CL backdoor can safely delete files to prevent forensic analysis.
T1112Modify RegistryRC2CL backdoor hides its configuration in registry keys.
T1027Obfuscated Files or InformationRC2CL backdoor obfuscates / encrypts strings and code to make analysis more difficult.
T1099TimestompRC2CL backdoor changes timestamps of files that are created / modified.
T1497Virtualization / Sandbox EvasionRC2CL backdoor can detect virtualized environments.
DiscoveryT1087Account DiscoveryRC2CL backdoor can list account information and session information.
T1010Application Window DiscoveryRC2CL backdoor can list information about active windows.
T1083File and Directory DiscoveryRC2CL backdoor can list files, especially recently opened files, and information about mapped / unmapped drives.
T1046Network Service ScanningRC2CL backdoor can scan the compromised network for hosts that are vulnerable to the EternalBlue vulnerability.
T1057Process DiscoveryRC2CL backdoor can list running processes.
T1012Query RegistryRC2CL backdoor can query the registry for information about installed software, applications that users access, applications that run at user logon / startup, recently opened files.
The backdoor of the T1063 security software DiscoveryRC2CL changes its behavior when the Bitdefender firewall is activated or when selected AV processes are running.
T1518Software DiscoveryRC2CL backdoor can list installed software that users have recently accessed, software that runs every time the user logs on and / or starts up.
T1082 System Information The DiscoveryRC2CL back door can list information about loaded drivers, computer names, operating system version, memory status, local time, system and process DEP policy.
T1016System network configuration DiscoveryRC2CL backdoor can list IP table; configured proxy information; Information about enabled wireless networks for victim geolocation.
T1007System Service DiscoveryRC2CL backdoor can list system service information.
The CollectionT1123Audio CaptureRC2CL back door can record the sounds of microphones on a computer. RC2FM misuses a legitimate lame.dll for MP3 encoding of the recordings.
T1005Data from the local SystemRC2CL back door can collect data from the system and monitor changes in specific directories.
T1074Data StagedRC2CL backdoor can store collected data in a central location for later exfiltration.
The T1113Screen CaptureRC2CL back door can take screenshots of the victim's screen. The RC2CL back door can also take screenshots of separate windows.
The T1125Video CaptureRC2CL back door can access the victim's webcam and take photos / videos.
Command and ControlT1008Fallback ChannelsRC2CL backdoor is configured with multiple C&C servers. With a backdoor command it is possible to expand the list and change which C&C server is used.
T1105Remote file CopyInvisiMole can download additional files to be executed on the vulnerable system.
T1065 Occasionally used PortRC2CL backdoor uses port 1922 for C&C communication.
ExfiltrationT1002Data CompressedRC2CL backdoor can create zlib and SFX archives. It misuses a copy of the legitimate WinRAR compression and decompression tool.
T1022Data EncryptedRC2CL backdoor uses variations of XOR encryption to encrypt data.
Command and Control T1041Exfiltration ChannelRC2CL backdoor filters collected information through its C&C channel.
RC2FM back door
ExecutionT1059Command-Line InterfaceRC2FM backdoor can create a remote shell to execute commands.
T1106Execution over APIRC2FM backdoor supports a command that uses ShellExecute and CreateProcess APIs for executing files.
Privileg EscalationT1088Bypass user account ControlRC2FM Backdoor can bypass user account control to get elevated privileges.
Defense EvasionT1140Deobfuscate / Decode Files or InformationRC2FM Backdoor decrypts strings using variations of XOR encryption.
T1107File DeletionRC2FM backdoor can delete dropped artifacts and various files if necessary after a delete command.
T1143Hidden WindowRC2FM backdoor uses the CREATE_NO_WINDOW creation flag to run malware in a hidden window.
T1112Modify RegistryRC2FM Backdoor hides its configuration in registry keys.
T1027Obfuscated Files or InformationRC2FM backdoor obfuscates / encrypts strings and code to make analysis more difficult.
T1055Process InjectionRC2FM Backdoor can inject itself ctfmon.exe , dwm.exe , sihost.exe and taskhost.exe Processes.
T1085Rundll32RC2FM backdoor uses rundll32.exe to load a stub DLL into which it then injects itself.
T1099TimestampRC2FM backdoor changes timestamps of files that are created / modified.
T1497Virtualization / Sandbox EvasionRC2FM backdoor can detect virtualized environments.
DiscoveryT1083File and Directory DiscoveryRC2FM backdoor gathers information about mapped drives. It can list files in a specific folder.
T1135Network Share DiscoveryRC2FM backdoor can list connected network shares.
T1057Process DiscoveryRC2FM backdoor can list running processes.
T1082 System Information The DiscoveryRC2FM back door captures the computer name and serial number of the system volume.
T1016System Network Configuration DiscoveryRC2FM backdoor lists information about configured proxy servers.
The CollectionT1123Audio CaptureRC2FM back door can record the sounds of microphones on a computer. It misuses a legitimate lame.dll for MP3 encoding of the recordings.
T1025Data from Removable MediaRC2FM Backdoor can collect JPEG files from connected MTP devices.
T1056Input CaptureRC2FM backdoor can capture keystrokes.
T1113Screen CaptureRC2FM back door can take screenshots of victim's screen.
Command and Control T1043 Commonly used PortRC2FM backdoor uses port 80 for C&C communication.
T1090Connection ProxyRC2FM backdoor can use proxies configured on the local system for various installed and portable browsers if the direct connection to the C&C server fails.
T1008Fallback ChannelsRC2FM backdoor is configured with multiple C&C servers. It is possible to update the C&C server with a backdoor command.
T1105Remote file CopyInvisiMole can download additional files to be executed on the vulnerable system.
T1071Standard Application Layer Protocol The RC2FM backdoor uses HTTP for C&C communication.
ExfiltrationT1022Data EncryptedRC2FM backdoor uses variations of XOR encryption to encrypt data.
T1041Exfiltration via command and control channel The RC2FM back door filters collected information via its C&C channel.
Zuzana Hromcová and Anton Cherepanov June 18, 2020 – 11.30 a.m.