Researchers from ESET have discovered the attack chain used by the InvisiMole cyberespionage group. The Gamaredon threat actor group identified vulnerable systems and created an initial infection vector for InvisiMole. Gamaredon is linked to Russia and runs reconnaissance operations to identify vulnerable systems. Select computers on a network were infected based on the work done by Gamaredon, which would drop the malware from InvisiMole. Initial infection from Gamaredon is carried out through sophisticated spear-phishing emails. As InvisiMole worked to keep their malware undetectable, they leveraged vulnerable executables of legitimate tools such as Total Video Player, SpeedFan utility, or the wdigest[.]dll in Windows. A technique from the CIA Vault 7 documents leaks was also used by InvisiMole that uses Control Panel to execute malicious items. To stay undetectable, the threat actor took their precautions a step further by encrypting some of the payloads in the chain using the Data Protection API (DPAPI) in Windows to encrypt and decrypt payloads. InvisiMole still relies on two older backdoor programs, RC2CL and RC2FM, but have upgraded their capabilities with a simple TCP downloader and a stealthier DNS downloader. Both of the backdoors are used to fetch components from the Command and Control (C2) servers once the infection is successful. The DNS downloader hides the communication to the C2 server, making it much harder for defense teams to detect the long-term communication. To spread the infection, InvisiMole has relied on the RDP BlueKeep Vulnerability and the SMB protocol EternalBlue exploit.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in