In the era of Windows 10, would you still be disturbed by a vulnerability in a Windows XP library? What about a driver exploit known for over a decade, or a simple stack overflow vulnerability in an outdated piece of software? These might seem like issues of yesteryear – after all, they would likely not be the first (nor the best) choices for attackers looking to penetrate the most up-to-date systems. However, this changes if the attackers are already deep in the network, already elevated, and are seeking invisibility rather than access or privileges not yet in their possession.

Our recent investigation into the newest InvisiMole campaign shows that it’s possible to leverage these 'archaic' vulnerabilities to avoid security mitigations and bring persistence methods to a new level.

InvisiMole is a threat actor that has been operating since at least 2013, previously reported in connection with highly targeted cyberespionage operations in Eastern Europe. We recently conducted an extensive investigation of the group’s latest operation, which started in late 2019 and continues as of this writing. Thanks to the cooperation of the affected organizations, we were able to uncover the updated InvisiMole toolset and fill in previously unknown details about the delivery, persistence and lateral movement techniques used.

In this campaign, InvisiMole delivers external, vulnerable executables and other legitimate tools to the target system, and links them together in multistage chains that ultimately load the malicious payload under the context of a trusted process. The payloads are in the form of their characteristic 'InvisiMole blobs', and encrypted specifically per victim using the Windows Data Protection API.

This set of tactics makes it very difficult to detect, and to remove, the malware, as all the components are either legitimate (even if vulnerable) or encrypted per victim.

In this presentation, we will provide insights from our investigation and will share how we were able to overcome these challenges to reconstruct the full compromise chain. We will dissect InvisiMole’s four multistage execution chains, each designed for a different type of victim environment. We will focus on how they incorporate the exploits with a variety of legitimate tools and techniques, such as improved ListPlanting or DNS tunnelling, to achieve covert code execution and blend into the typical network traffic. Finally, we will discuss the newly discovered collaboration between the InvisiMole and Gamaredon threat actors, which allows the InvisiMole group to devise such creative ways to stay under the radar.