In a recent campaign, the elusive InvisiMole group has been targeting a small number of high-profile organizations in the military sector and diplomatic missions in Eastern Europe, ESET reports.
First reported on in 2018 but active since at least 2013, InvisiMole appears to be tightly connected to the Russia-linked threat group Gamaredon, which is also believed to have started activity in 2013. Despite the groups’ close connection, ESET believes they are separate entities.
An analysis of recent attacks, which started in late 2019 and appear to be ongoing, revealed that InvisiMole’s tools are dropped only on environments that have been previously compromised by Gamaredon.
In fact, a .NET downloader associated with Gamaredon is used for InvisiMole deployment, but only on a small number of targets, likely those that have been deemed of interest.
“Our research suggests that targets considered particularly significant by the attackers are upgraded from relatively simple Gamaredon malware to the advanced InvisiMole malware. This allows the InvisiMole group to devise creative ways of operating under the radar,” comments Zuzana Hromcová, the ESET researcher who analyzed InvisiMole.
During attacks, the threat actor has been actively updating its toolset, through the redesign and recompiling of existing components and the addition of new tools. ESET discovered multiple versions of one of the employed backdoors, including some freshly compiled prior to deployment.
Once it has established a foothold into a compromised environment, InvisiMole uses several techniques for lateral movement, including the BlueKeep (CVE-2019-0708) and invisimole group military diplomats highly targeted campaign
