Security researchers have demystified the attack chain of the elusive InvisiMole cyberespionage group, revealing a complicated multi-stage format that relies on vulnerable legitimate tools, target-specific encryption of payloads, and stealthy communication.
InvisiMole gets access to the target network through
Gamaredon, a threat actor linked to Russia that runs reconnaissance operations and identifies valuable systems.
Both attack groups have been operational for at least seven years and despite their collaboration, they are considered distinct threat actors due to the clear difference in attack tactics and techniques.
Legitimate tools used in attack chains
InvisiMole malware was
publicly documented for the first time in 2018, being classified as complex spyware of undetermined origin that can track victims’ geographical location, spy via webcam, take screenshots, record audio, and steal documents.
Recently uncovered versions also use the Media Transfer Protocol (MTP) to steal photos from mobile phones connected to the infected computer.
... ...