Cybersecurity researchers today uncovered the modus operandi of an elusive threat group that hacks into the high-profile military and diplomatic entities in Eastern Europe for espionage.
The findings are part of a collaborative analysis by cybersecurity firm ESET and the impacted firms, resulting in an extensive look into InvisiMole’s operations and the group’s tactics, tools, and procedures (TTPs).
“ESET researchers conducted an investigation of these attacks in cooperation with the affected organisations and were able to uncover the extensive, sophisticated tool-sets used for delivery, lateral movement, and execution of InvisiMole’s backdoors,” the company said in a report shared with The Hacker News.
Cooperation with the Gamaredon Group
First discovered in 2018, InvisiMole has been active at least since 2013 in connection with targeted cyber-espionage operations in Ukraine and Russia. After slipping under the radar, the threat actor returned late last year with an updated toolset and previously unreported tactics to obfuscate malware.
“InvisiMole has a modular architecture, starting its journey with a wrapper DLL, and performing its activities using two other modules that are embedded in its resources,” ESET researchers had previously noted in a June 2018 report. “Both of the modules are feature-rich backdoors, which together give it the ability to gather as much information about the target as possible.”
The feature-rich spyware, dubbed RC2FM and RC2CL, was found to be capable of making system changes, scanning wireless networks to track the geolocation of victims, gathering user information, and even uploading sensitive files located in the compromised machine. But the exact mechanism of malware delivery remained unclear until now.
images from Hacker News