An elusive threat group is back with a new cyber espionage campaign aimed at the high-profile military and diplomatic entities in Eastern Europe, researchers fr om ESET revealed.

First spotted in 2018, the InvisiMole group, which is believed to has been active since at least 2013, appears to be tightly connected to a Russian-linked Gamaredon threat group, which also has been operating since 2013. But, despite this, ESET says that InvisiMole and Gamaredon are two separate groups.

An investigation into recent InvisiMole attacks that have started in late 2019 and appear to be still ongoing showed that InvisiMole’s tools are delivered only on environments that have been previously compromised by Gamaredon.

“Our research now shows Gamaredon is used to pave the way for a far stealthier payload – according to our telemetry, a small number of Gamaredon’s targets are “upgraded” to the advanced InvisiMole malware, likely those deemed particularly significant by the attackers,” ESET noted.

The InvisiMole malware spreads within compromised networks by exploiting the BlueKeep (CVE-2019-0708), or EternalBlue (CVE-2017-0144) vulnerabilities in the RDP and SMB protocols, respectively. The third method of propagation within the hacked network involves using weaponized documents and software installers, created using benign files stolen fr om the compromised organization.

“To craft the trojanized files, InvisiMole first steals documents or software installers from the compromised organization, and then creates an SFX archive bundling the file with the InvisiMole installer. The original file is then replaced with the weaponized version, while its name, icon and metadata are preserved. The attackers rely on the users to share and execute these files,” the researchers explained.

“This lateral movement technique is especially powerful if the trojanized file happens to be a software installer placed on a central server – a common way to deploy software in larger organizations. That way, InvisiMole is organically distributed to many computers that use this server.”

One of the most interesting aspects of the observed campaign is the use of long execution chains to deliver final payloads – the updated RC2CM and RC2CL backdoors, and the new TCP and DNS downloaders.

ESET described the execution chains used by the attackers as follows:

1. The Control Panel misuse chain uses a rare technique known from Vault 7 leaks, used to achieve covert execution in the context of the Control Panel.

2. The SMInit exploit chain exploits a vulnerability in the legitimate Total Video Player software. It is used in cases wh ere the attackers haven’t managed to obtain administrative privileges on the system.

3. The Speedfan exploit chain exploits a local privilege escalation vulnerability in the speedfan.sys driver to inject its code to a trusted process from kernel mode.

4. The Wdigest exploit chain is InvisiMole’s flagship chain, the most elaborate, used on the newest versions of Windows, wh ere the attackers have administrative privileges. It exploits a vulnerability in the Windows wdigest.dll library and then uses an improved ListPlanting technique to inject its code into a trusted process.

The researchers also observed the InvisiMole group using a Windows feature called Data Protection API (DPAPI) to encrypt the payloads individually per-victim in order to evade detection.

DPAPI is a feature, intended for local storage of credentials such as Wi-Fi passwords, or login passwords in web browsers.

“After discovering new activity in late 2019, we gained the opportunity to take a proper look under the hood of InvisiMole’s operations and piece together the hidden parts of the story. Analyzing the group’s updated toolset, we observed continuous development and substantial improvements, with special focus on staying under the radar,” the researchers concluded.