InvisiMole is allegedly conducting a series of attacks agains Ukrainian targets, spreading the LoadEdge backdoor. Ukrainian security officials warned of the campaign, which features a threat actor group with ties to Russia. The Computer Emergency Response Team for Ukraine (CERT-UA) stated last week that the department had been advised of the phishing campaign. The phishing emails deliver an attached archive with a shortcut LINK file. If opened by the target, VBScript designed to deploy LoadEdge is executed.
Once the backdoor has been created, it forms a link to an InvisiMole command-and-control server through which other malware payloads are deployed and executed. One malware observed in the attacks is TunnelMole, a tool that abuses the DNS protocol to form a tunnel that allows for malicious software distribution. Types of malicious software include RC2FM and RC2CL, both of which acting as data collection and surveillance modules. InvisiMole was first discovered in 2018 by security researchers at ESET. Since its discovery, the group has been linked to attacks against high profile organizations in Eastern Europe, notably in the military and diplomacy fields.
Read More: Ukraine warns of InvisiMole attacks tied to state-sponsored Russian hackers