Security News > 2020 > June > InvisiMole Group Hits Military, Diplomats in Highly Targeted Campaign
In a recent campaign, the elusive InvisiMole group has been targeting a small number of high-profile organizations in the military sector and diplomatic missions in Eastern Europe, ESET reports.
First reported on in 2018 but active since at least 2013, InvisiMole appears to be tightly connected to the Russia-linked threat group Gamaredon, which is also believed to have started activity in 2013.
"Our research suggests that targets considered particularly significant by the attackers are upgraded from relatively simple Gamaredon malware to the advanced InvisiMole malware. This allows the InvisiMole group to devise creative ways of operating under the radar," comments Zuzana Hromcová, the ESET researcher who analyzed InvisiMole.
In the new attacks, in addition to the TCP and DNS downloaders, InvisiMole has adopted the use of long execution chains for the deployment of final payloads, namely updated variants of the RC2CM and RC2CL backdoors.
According to ESET, one of the tactics that makes InvisiMole stand out in the crowd, in addition to per-victim encryption, is the exclusive use of legitimate tools during the early stages of infection, with the malicious payloads reserved for later stages.