InvisiMole group attacked Ukrainian organizations


The Computer Emergency Response Group in Ukraine (CERT-UA) reported on the ongoing phishing campaigns of the InvisiMole cybercrime group (also known as UAC-0035) targeting Ukrainian organizations. Hackers distribute a backdoor LoadEdge among the victims.

According to CERT-UA, phishing emails contain archive and shortcut file (LNK). When opened, the HTML application file (HTA) loads and executes a VBScript script designed to install LoadEdge.

LoadEdge is a backdoor written in the C++ programming language. The malware supports the commands fileEx, copyOverNw, diskops, disks, download, upload, getconf, setinterval, startr, killr, kill. The functionality of the program includes collecting information about disks, uploading and downloading files, file system operations and deletion.

As soon as the backdoor establishes communication with the InvisiMole command server, other payloads begin to be installed and launched, including TunnelMole and backdoor modules for collecting RC2FM and RC2CL information. Persistence is provided by the HTA file by creating an entry in the Run branch of the Windows register.

InvisiMole was discovered by ESET researchers in 2018. The attackers have been active since at least 2013 and have been linked to attacks on large organizations in Eastern Europe engaged in military activities and diplomatic missions. In 2020, cybersecurity researchers linked the InvisiMole grouping to APT Gamaredon (also known as Armageddon, Primitive Bear, and ACTINIUM).

The Gamaredon group, allegedly linked to Russia, has been organizing phishing attacks on Ukrainian enterprises and organizations since October 2021.

Start a discussion …