Partners in Crime: InvisiMole and Gamaredon
InvisiMole is back with new tools and a new APT partnership. The group is known for targeting diplomatic missions, along with the military sector, in Eastern Europe.
What is happening?
InvisiMole operators have struck out a partnership with the Gamaredon APT group. Since late-2019, the former has been targeting high-profile organizations in the military sector and diplomatic missions in Eastern Europe. The group has updated its TTPs for improved execution, lateral movement, and delivery of its backdoors.
What are the updated toolsets?
- The two backdoors - RC2CL and RC2FM - used by the threat actors feature several cyberespionage capabilities, including geolocation, collecting victim information, and making system changes.
- The updated toolset leverages living off the land techniques, used across its four execution chains.
- Another component, namely DNS tunneling has been added to add more stealth to the malware's C2 communications.
- The operators have also been found using BlueKeep exploit (CVE-2017-0144) and NSA exploit EternalBlue (CVE-2019-0708) for lateral movement across networks.
- To stay under the radar, the group uses vulnerable executables of legitimate tools, such as SpeedFan utility and Total Video Player.
The connection with Gamaredon
- Researchers have found attempts at deploying the InvisiMole malware while utilizing server infrastructure that is solely used by Gamaredon.
- It is believed that in this partnership, Gamaredon’s role is to infiltrate victim systems using their own tools and gain admin privileges. Subsequently, InvisiMole steps in with its advanced techniques to deploy its backdoors.
- However, while Gamaredon has never been the one to keep a low profile, InvisiMole has taken extra steps to evade detection.
The bottom line is that the partnership has proven to be beneficial for both groups. While Gamaredon paves the way for a stealthier payload for InvisiMole, InvisiMole helps with upgrading high-value targets for the former APT group.