The findings are part of a collaborative analysis by cybersecurity firm ESET and the impacted firms, resulting in an extensive look into InvisiMole's operations and the group's tactics, tools, and procedures (TTPs).
"ESET researchers conducted an investigation of these attacks in cooperation with the affected organizations and were able to uncover the extensive, sophisticated tool-sets used for delivery, lateral movement, and execution of InvisiMole's backdoors," the company said in a report shared with The Hacker News.
Cooperation with the Gamaredon Group
First discovered in 2018, InvisiMole has been active at least since 2013 in connection with targeted cyber-espionage operations in Ukraine and Russia. After slipping under the radar, the threat actor returned late last year with an updated toolset and previously unreported tactics to obfuscate malware.
"InvisiMole has a modular architecture, starting its journey with a wrapper DLL, and performing its activities using two other modules that are embedded in its resources," ESET researchers had previously noted in a June 2018 report. "Both of the modules are feature-rich backdoors, which together give it the ability to gather as much information about the target as possible."
The feature-rich spyware, dubbed RC2FM and RC2CL, was found to be capable of making system changes, scanning wireless networks to track the geolocation of victims, gathering user information, and even uploading sensitive files located in the compromised machine. But the exact mechanism of malware delivery remained unclear until now.
Not only did ESET find evidence of "living off the land" techniques that exploited legitimate applications to stealthily carry out malicious operations, but they also discovered ties to a second threat actor called the Gamaredon group, which has a long history of cyberattacks against Ukrainian institutions.
"Gamaredon is used to pave the way for a far stealthier payload – according to our telemetry, a small number of Gamaredon's targets are 'upgraded' to the advanced InvisiMole malware, likely those deemed particularly significant by the attackers," the researchers said, adding the malware is deployed only after the attackers gained administrative privileges, as many of InvisiMole's execution methods require elevated permissions.
Once the initial compromise takes place, InvisiMole exploits BlueKeep (CVE-2019-0708) and EternalBlue (CVE-2017-0144) vulnerabilities in RDP and SMB protocols or makes use of trojanized documents and software installers to propagate laterally across the network.
In addition to employing updated versions of the RC2CL and RC2FM backdoors, the malware leverages a new TCS downloader to download additional modules and a DNS downloader, which, in turn, leverages DNS tunneling to mask communications to an attacker-controlled server.
"With DNS tunneling, the compromised client does not directly contact the C&C server; it only communicates with the benign DNS server(s) the victim machine would normally communicate with, where it sends requests to resolve a domain to its IP address," the researchers said. "The DNS server then contacts the name server responsible for the domain in the request, which is an attacker-controlled name server, and relays its response back to the client."
RC2CL and RC2FM: Fully-Featured Spyware
What's more, the final payloads, RC2CL and RC2FM, were delivered via no less than four different execution chains that were put together by combining malicious shellcode with legitimate tools and vulnerable executables.
The improved RC2CL backdoor supports as many as 87 commands, with capabilities to turn on webcam and microphone devices to take photos, record video, and sound, capture screenshots, collect network information, list installed software, and monitor recently accessed documents by the victim. Although not used prominently, RC2FM comes with its own set of document exfiltration commands, along with new features to log keystrokes and bypass user access control (UAC).
Furthermore, the new versions of both RC2CL and RC2FM come with their own means to escape antivirus detection, including injecting themselves into other innocuous processes and suppressing specific features, such as keylogging.
"The targets considered particularly significant by the attackers are upgraded from relatively simple Gamaredon malware to the advanced InvisiMole malware," ESET researcher Zuzana Hromcová said. This previously unknown cooperation between the two groups "allows the InvisiMole group to devise creative ways of operating under the radar," she added.