Profile picture
, 9 tweets, 8 min read
My Authors
Read all threads
#ESETresearch unearths modus operandi of the elusive #InvisiMole group, digging up their arsenal used to stay invisible. Our investigation also shows previously unknown ties between InvisiMole and #Gamaredon groups welivesecurity.com/2020/06/18/dig… @cherepanov74 @zuzana_hromcova 1/9
#InvisiMole #APT group resurfaced in targeted attacks against high-profile organizations in Eastern Europe, targeting military sector and diplomatic missions. We previously documented their two feature-rich backdoors RC2CL and RC2FM; now we reveal the rest of their TTPs. 2/9
We discovered that the most interesting targets of #Gamaredon are upgraded to far stealthier #InvisiMole spyware, with Gamaredon’s .NET downloader delivering InvisiMole’s TCP downloader. This cooperation allows InvisiMole to devise creative ways to operate under the radar. 3/9
#InvisiMole places execution guardrails on its components to hide from security researchers. Encrypted with #DPAPI, the payload can only be decrypted on the victim’s computer. Luckily, we recovered the payloads thanks to our close cooperation with the affected organizations. 4/9
InvisiMole uses long execution chains for covert execution and long-term persistence. The group exclusively installs #LOLBins and vulnerable executables on the system, and then abuses these legitimate executables to load the malicious shellcode in the later stages. 5/9
The attackers use the Bring Your Own Vulnerable Driver (and Bring Your Own Vulnerable Software) techniques to introduce vulnerable executables to the system. They deliver and exploit the vulnerable #Windows wdigest.dll library, speedfan.sys driver and third-party software. 6/9
The attackers use improved ListPlanting technique for code injection. Instead of calling WriteProcessMemory, #InvisiMole sends LVM_SETITEMPOSITION and LVM_GETITEMPOSITION messages to the target SysListView32, with shellcode bytes provided as the new coordinates. 7/9
For a stealthier C&C communication, #InvisiMole builds a custom DNS tunneling protocol on top of the #DNS protocol. The communication is embedded in subdomains, generated by the client for each request, and in DNS AAAA and NULL records from the server. 8/9
The Indicators of Compromise are available on our GitHub repository: github.com/eset/malware-i…

You can read the detailed white paper here: welivesecurity.com/wp-content/upl…

#ESETresearch #InvisiMole 9/9
Missing some Tweet in this thread? You can try to force a refresh.

Keep Current with ESET research

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#ESETresearch #InvisiMole #Gamaredon #APT #DPAPI #LOLBins #Windows #DNS

More from @ESETresearch see all

Profile picture
ESET research
@ESETresearch
#ESETresearch stumbled upon strange samples which use the packer we described in publications on the #Winnti Group. The payload in these samples is an implant attributed to Equation. It is known as PeddleCheap according to the project names seen in the Shadow Brokers leaks. 1/8
Those samples were first seen in 2017, one year before it was used in the compromised games in 2018 (welivesecurity.com/2019/03/11/gam…). They are 8b8d2eb8de66890f4c0950ccb3fff95b0f42b9e1 and b48beb5e49976294287b1d6910d7445db83e5cf2. #ESETresearch @marc_etienne_ 2/8
These particular executables do 3 things: launch the legitimate Adobe Flash installer, copy itself to %TEMP%\micrit.exe and start PeddleCheap. #ESETresearch @marc_etienne_ 3/8
Read 8 tweets

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!