Partners in Crime: InvisiMole and Gamaredon | Cyware Alerts

InvisiMole is back with new tools and a new APT partnership. The group is known for targeting diplomatic missions, along with the military sector, in Eastern Europe.

What is happening?

InvisiMole operators have struck out a partnership with the Gamaredon APT group. Since late-2019, the former has been targeting high-profile organizations in the military sector and diplomatic missions in Eastern Europe. The group has updated its TTPs for improved execution, lateral movement, and delivery of its backdoors.

What are the updated toolsets?

  • The two backdoors – RC2CL and RC2FM – used by the threat actors feature several cyberespionage capabilities, including geolocation, collecting victim information, and making system changes.
  • The updated toolset leverages living off the land techniques, used across its four execution chains.
  • Another component, namely DNS tunneling has been added to add more stealth to the malware’s C2 communications. 
  • The operators have also been found using BlueKeep exploit (CVE-2017-0144) and NSA exploit EternalBlue (CVE-2019-0708) for lateral movement across networks.
  • To stay under the radar, the group uses vulnerable executables of legitimate tools, such as SpeedFan utility and Total Video Player.

The connection with Gamaredon

  • Researchers have found attempts at deploying the InvisiMole malware while utilizing server infrastructure that is solely used by Gamaredon.
  • It is believed that in this partnership, Gamaredon’s role is to infiltrate victim systems using their own tools and gain admin privileges. Subsequently, InvisiMole steps in with its advanced techniques to deploy its backdoors.
  • However, while Gamaredon has never been the one to keep a low profile, InvisiMole has taken extra steps to evade detection.

The bottom line is that the partnership has proven to be beneficial for both groups. While Gamaredon paves the way for a stealthier payload for InvisiMole, InvisiMole helps with upgrading high-value targets for the former APT group.

Source link

Recent articles

Tubites · Packaging

Creating a playful, fresh, and colorful packaging for the new guilt-free snacks brand "Tubites". Each of the product lines is aimed at...

BlendNet free addon to simplify the cloud rendering

Rabit writes: The new BlendNet v0.2 was released and could be quite useful for everyone who wants to save money on the render farm...

What’s New on Netflix UK: July 8th, 2020

Stateless is now available to stream on Netflix UKA quiet Wednesday on Netflix UK with three 3 additions to the library. Of the...

Save time at the command line with HTTPie instead of curl

Ah, curl. While widely-loved and wildly powerful, its ergonomics leave something to be desired. Although it should not replace curl in your automation,...

Leave a reply

Please enter your comment!
Please enter your name here