Partners in Crime: InvisiMole and Gamaredon

What is happening?

What are the updated toolsets?

• The two backdoors - RC2CL and RC2FM - used by the threat actors feature several cyberespionage capabilities, including geolocation, collecting victim information, and making system changes.
• The updated toolset leverages living off the land techniques, used across its four execution chains.
• Another component, namely DNS tunneling has been added to add more stealth to the malware's C2 communications. 
• The operators have also been found using BlueKeep exploit (CVE-2017-0144) and NSA exploit EternalBlue (CVE-2019-0708) for lateral movement across networks.
• To stay under the radar, the group uses vulnerable executables of legitimate tools, such as SpeedFan utility and Total Video Player.

The connection with Gamaredon

• Researchers have found attempts at deploying the InvisiMole malware while utilizing server infrastructure that is solely used by Gamaredon.
• It is believed that in this partnership, Gamaredon’s role is to infiltrate victim systems using their own tools and gain admin privileges. Subsequently, InvisiMole steps in with its advanced techniques to deploy its backdoors.
• However, while Gamaredon has never been the one to keep a low profile, InvisiMole has taken extra steps to evade detection.