247.txt

Unusual Alliance Gamaredon and InvisiMole Launch First Joint Attack Campaign  
The Gamaredon group is a suspected Eastern European APT organization primarily targeting Ukrainian government officials, opposition members, and journalists for intelligence theft, with traceable activities dating back to 2013. The group's name originated from LookingGlass researchers' 2015 report "Operation Armageddon," where security vendors coined the term "Gamaredon" based on misspelled "Armageddon" samples. Since its disclosure, 360 Advanced Threat Research Institute has conducted long-term tracking and analysis of this group. On June 18, 2020, ESET first revealed Gamaredon's use of InvisiMole's cyber weapons. The InvisiMole group, active since 2013 and linked to Ukrainian-Russian cyber espionage, is known for its proprietary backdoor framework. Leveraging 360 Security Brain, we tracked recent collaborative activities between Gamaredon and InvisiMole, analyzing their backdoors and TTPs to produce this technical report for community collaboration. Through 360 Security Brain's data, we identified a C++ backdoor variant differing from Gamaredon's known tools, deployed via existing backdoors indicating prolonged compromise. Compiled on 2019-09-05 and first observed on 2019-09-27, this backdoor achieves persistence via scheduled tasks executing rundll32.dll with random export functions (e.g., "58369bd66c424b20898"). It collects usernames and retrieves 7zip SFX packages from C2 servers using potential domain fronting techniques (e.g., 1.gmail.com host headers). The core backdoor decrypts components stored as *.tmp files, deploying payloads via multiple stages including HTA execution, shellcode injection via WinAPIExec, C# downloaders, and C++ backdoors. Attack components employ varied deployment methods: cmd+vbs combinations create LNK files loading remote HTAs; cmd+exe packages execute TCP downloaders (InvisiMole's exclusive tool) in memory; cmd+dll+sfx bundles deploy Stealdoc backdoors through thumbcache DLL masquerading; password-protected SFX files leverage scheduled tasks for execution. Key payloads include VBS scripts replacing mosaic-related executables with malicious SFX bundles, C# downloaders persisting via tasks while exfiltrating disk information, and Stealdoc backdoors exfiltrating Office/Chrome data while checking file hashes (filename+size+timestamp MD5s). This campaign demonstrates unprecedented code sharing between APT groups, with Gamaredon deploying InvisiMole's TCP downloader as evidenced by ESET's June 2020 disclosure and our September 2019 observations. The collaboration complicates attribution, emphasizing the need for comprehensive security data and precise threat intelligence beyond conventional assumptions. 360's threat intelligence cloud and APT radar systems currently provide detection coverage for these activities.