Researchers from ESET have discovered the attack chain used by the InvisiMole cyberespionage group. The Gamaredon threat actor group identified vulnerable systems and created an initial infection vector for InvisiMole. Gamaredon is linked to Russia and runs reconnaissance operations to identify vulnerable systems. Select computers on a network were infected based on the work done by Gamaredon, which would drop the malware from InvisiMole. Initial infection from Gamaredon is carried out through sophisticated spear-phishing emails. As InvisiMole worked to keep their malware undetectable, they leveraged vulnerable executables of legitimate tools such as Total Video Player, SpeedFan utility, or the wdigest[.]dll in Windows. A technique from the CIA Vault 7 documents leaks was also used by InvisiMole that uses Control Panel to execute malicious items. To stay undetectable, the threat actor took their precautions a step further by encrypting some of the payloads in the chain using the Data Protection API (DPAPI) in Windows to encrypt and decrypt payloads. InvisiMole still relies on two older backdoor programs, RC2CL and RC2FM, but have upgraded their capabilities with a simple TCP downloader and a stealthier DNS downloader. Both of the backdoors are used to fetch components from the Command and Control (C2) servers once the infection is successful. The DNS downloader hides the communication to the C2 server, making it much harder for defense teams to detect the long-term communication. To spread the infection, InvisiMole has relied on the RDP BlueKeep Vulnerability and the SMB protocol EternalBlue exploit.
Analyst Notes
InvisiMole has worked throughout this campaign to hide their presence in the victims’ networks through various components in their malware. Gamaredon and InvisiMole are separate groups and are believed to still be working independently, though in this case, they appear to be helping each other in their efforts. By using exploits for old vulnerabilities such as BlueKeep and EternalBlue, the group is relying on their victims to not have patched these issues, which is likely found during the reconnaissance done by Gamaredon. Making sure all patches are implemented throughout a network is a great start to preventing attacks that are leveraging old vulnerabilities. Utilizing system monitoring such as Binary Defense Managed Detection and Response is also another great defense to stop attacks before they move throughout an entire network. Restricting DNS requests to only go through approved servers and monitoring DNS requests for unusual activity can help uncover stealthy malware communication over DNS, although the sheer volume of DNS requests on a corporate network makes this a time-consuming task for defenders.
IOC’s and the full report from ESET can be found here: https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/
More information can be read here: https://www.bleepingcomputer.com/news/security/invisimole-malware-delivered-by-gamaredon-hacker-group/
