ESET researchers reveal the modus operandi of the elusive InvisiMole group, including newly discovered ties with the Gamaredon group.

Original article available here: https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf

The InvisiMole Group is a threat actor operating since at least 2013, whose malware was first reported by ESET in 2018 in connection with targeted cyberespionage operations in Ukraine and Russia. We previously documented the group’s two feature-rich backdoors, RC2CL and RC2FM, that provide extensive espionage capabilities such as recording from the victims’ webcam and microphone, tracking the victims’ geolocation, and collecting recently accessed documents. However, little was known about the rest of the group’s tactics, techniques and procedures (TTPs). In late 2019, InvisiMole resurfaced with an updated toolset, targeting a few high-profile organizations in the military sector and diplomatic missions, both in Eastern Europe. ESET researchers investigated these attacks in cooperation with the affected organizations and were able to uncover the extensive, sophisticated toolset used for delivery, lateral movement and execution of InvisiMole’s backdoors — the missing pieces of the puzzle in our previous research. The investigation also led us to reveal previously unknown cooperation between the InvisiMole Group and Gamaredon, a highly active threat group also operating since at least 2013, and mainly targeting Ukrainian institutions.

InvisiMole’s toolset

ESET telemetry suggests that the attackers were actively developing their malware throughout the campaign, redesigning and recompiling its components, as well as introducing new ones. For example, we found several versions of InvisiMole’s loader and RC2FM backdoor, with one of the samples apparently freshly compiled before being deployed and detected by ESET. We also observed that, later in the operation, the attackers abandoned the use of the PE format for their files, in an attempt to avoid detection. As for the newly introduced components, we discovered a previously unreported TCP downloader and a DNS downloader, the latter using DNS tunneling to communicate with the C&C server. Overall, the campaign is characterized by long execution chains with multiple layers of per-victim encryption, making it difficult to reconstruct the attack. In these execution chains, the attackers used several interesting living off the land techniques — they abused legitimate applications (also called living off the land binaries or LOLBins to execute their own code, set up persistence, perform lateral movement and other operations, aiming to bypass application whitelisting and fly under the radar. Furthermore, we found that InvisiMole delivers vulnerable executables to compromised computers and exploits them for covert code execution and long-term persistence. The attackers brought a vulnerable speedfan.sys driver onto a compromised computer, exploiting it in order to inject InvisiMole into a legitimate process from kernel mode. This technique was used previously, for example, by the Slingshot APT [4] and has been referred to as Bring Your Own Vulnerable Driver (BYOVD) by fellow researchers. Besides the driver, the attackers delivered a vulnerable Windows component from Windows XP and exploited its input validation vulnerability, or a vulnerable third-party software package and exploited its stack overflow vulnerability — a technique we named Bring Your Own Vulnerable Software (BYOVS). For lateral movement, we observed that the InvisiMole Group steals documents or software installers from the compromised organization, and replaces them in the original locations with their own trojanized versions, or uses EternalBlue and BlueKeep exploits to spread to vulnerable hosts within the network.

Cooperation between InvisiMole and Gamaredon

During our investigation, we discovered that InvisiMole is delivered to the compromised systems by a .NET downloader detected by ESET products as MSIL/Pterodo, the work of the Gamaredon group. Gamaredon malware is usually distributed through spearphishing emails and used to move laterally as far as possible within the target’s network, while fingerprinting the machines. Our research now shows Gamaredon is used to pave the way for a far stealthier payload — according to our telemetry, a small number of Gamaredon’s targets are “upgraded” to the advanced InvisiMole malware, likely those deemed particularly significant by the attackers.

Execution guardrails

 InvisiMole uses a Windows feature called Data Protection API (DPAPI) to place execution guardrails and encrypt the payloads individually per-victim, specifically:

• the CryptProtectData API for data encryption

• the CryptUnprotectData API for data decryption

This symmetric encryption scheme uses a key derived from the user’s login secrets, so the decryption must be performed on the same computer where the data was encrypted. The DPAPI feature, intended for local storage of credentials such as Wi-Fi passwords or login passwords in web browsers, is abused by InvisiMole to protect its payload from security researchers. Even if they find InvisiMole’s components in telemetry or on malware sharing platforms, they can’t decrypt them outside the victim’s computer. However, thanks to direct cooperation with the affected organizations, we were able to recover the payloads and reconstruct four of InvisiMole’s execution chains.

Acknowledgements to fellow ESET researchers Matthieu Faou, Ladislav Janko and Michal Poslušný for their work on this investigation.