InvisiMole and Gamaredon join hands to spread backdoor malware

Researchers revealed InvisiMole and Gamaredon hackers unified to initiate targeted attack over high-profile organizations in Eastern Europe

InvisiMole backdoorInvisiMole coolaborates with Gamaredon ATP to spy on Easter European military

ESET research group[1] has revealed a tandem of two infamous hacker groups, namely InvisiMole and Gamaredon, working together to attack the military sector and diplomatic organization in Eastern Europe. The InvisiMole ATP has been first reported in 2018 as one of the most persistent spyware that has been uncovered since 2013[2]. At that time, hackers behind this spyware were using two malicious components allowing them to access the system, turn a computer into a camera, and steal victim's credentials in a quite easy manner.

The other group dubbed the Gamaredon ATP[3] is no less dangerous. Its actors were condemned for the development of hacking tools in series, compromising various devices, collecting intelligence, spreading malware, and exhibiting links to the Russian government. In the past, both InvisiMole and Gamaredon groups were initiating activities in Ukraine and Eastern Europe in particular.

According to the researchers, the current campaign revealed in June 2020 is initiated in a much more sophisticated multi-stage format. Instead of RC2FM and RC2CL backdoor modules used before, InvisiMole malware group improved its toolset by combining shellcode with vulnerable executables, legit Windows system tools, DNS tunneling, C&C communication, and novel persistence models.

EternalBlue and BlueKeep vulnerabilities used for the distribution

During the current attacks over Easter European military and organizations, criminals are taking advantage of each-others best sides. The .NET downloader that belongs to the Gamaredon is used for the InvisiMole deployment. To take advantage of the compromised environment and spread the payload, InvisiMole backdoor uses BlueKeep (CVE-2019-0708), EternalBlue (CVE-2017-0144)[4] vulnerabilities, and pirated software installers and trojan-infected documents.

Upon the launch of the payload, criminals release the DNS downloader to ensure persistence, enable DNS tunneling, and establish communication with the C&C server. After that, the payload unleashes the improved variants of the RC2CM and RC2CL backdoors.

The InvisiMole spyware is highly dangerous due to its persistence and PII leak possibilities. According to the researchers, it aims at recording the documents or software that the targeted organization is keeping on its servers and then replacing them with the trojan-infected variants.

If the trojan-infected installer of a legitimate software is kept on the central server of the organization, it manages to infiltrate the server in a quite easy manner, ensure persistence and start leaking information.

Government-supported backdoor virus targeting high profile organizations. What data may be sought?

There are links that allow cybersecurity experts to claim that Gamaredon, as well as InvisiMole, hackers maybe Russian government-supported. Despite close links between the groups, the ESET researcher Zuzana Hromcova claims that these hackers belong to the separate entities and are performing very distinctive attacks.

Anyway, the link to the Russian government is a worrying fact. That's because such hackers are known for being well equipped and initiating long-term attacks[5] that (usually) bring the result. As pointe by ESET, if the malware is perfectly rooted in the mother server of the organization, the RC2CM and RC2CL backdoors can leak anything found on the server-connected devices.

RC2CM possibilities:

  • The backdoor ensures criminals the possibility to capture input and screen
  • The malware can read keystrokes, and record the video captured on the webcam
  • InvisiMole virus can download additional files to be executed on the compromised system
  • The malware can encrypt data using XOR cipher
  • Gathered data is exfiltrated to the C&C server

RC2CL backdoor

  • The backdoor can record sounds from microphones by misusing a legitimate lame.dll process
  • It can collect data from the system and monitor changes within specific directories
  • Stores harvested information in a central location for later exfiltration
  • Captures screenshots
  • Can access victim's webcam and record photos/videos
  • Can download additional files and run them
  • Encrypts some data using an altered XOR cipher

In general, the collaboration of the two groups can lead to huge attacks over Eastern European (or other) organizations, which is why IT managers should take all possible precautionary measures to protect the systems from suchlike attacks.

About the author
Julie Splinters
Julie Splinters - Anti-malware specialist

Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.

Contact Julie Splinters
About the company Esolutions