A previously unknown piece of complex malware with spying capabilities was recently discovered by researchers at cybersecurity firm ESET. The spyware is dubbed InvisiMole and is regarded as an advanced cyber espionage tool most likely designed for attacks on nation-state and financial targets.
Technical Overview of InvisiMole Spyware
The two malicious components of InvisiMole were thoroughly analyzed by researcher Zuzana Hromcová. .Apparently, the components are able to turn the compromised host into a video camera, thus enabling attackers to capture sound and image of the victim’s surroundings. Uninvited, InvisiMole’s operators access the system, closely monitoring the victim’s activities and stealing the victim’s secrets, the researcher said in the official report.
According to the researcher’s findings, the spyware has been active at least since 2013. However, due to its sophisticated nature, it was never detected on compromised computers running ESET products in Ukraine and Russia. The extremely low detection rate most likely means that InvisiMole is highly-targeted, having infected a handful of computers.
The InvisiMole spyware has a modular architecture. The infection chain is triggered with a wrapper DLL. As for its malicious activities – they are carried out with the help of two modules embedded in its resources. Both of the modules are feature-rich backdoors, and their mutual deployment gives attackers access to as much information as they wish to gather. On top of that, the coders of the malware have taken extra measures to make it run low and undetected, and allowing it to reside stealthily on a system for unlimited period of time.
Unfortunately, researchers are yet to uncover how the malware infected its targets. All infection vectors are possible, including installation facilitated by physical access to the machine, ESET notes.
More about InvisiMole’s Components
The first, smaller module RC2FM contains a backdoor with fifteen supported commands. These are executed on the affected computer when so instructed by the attackers. The module is designed to make various changes to the system but it also offers a bunch of spying commands.
Apparently, this module is not as complicated as the second one but nonetheless it still has some impressive features. One of them is the ability to extract proxy settings from browsers. Then it can use these configurations to send data to its command and control server, especially if the local network settings forbid the module to communicate with its master server. In addition, this module can turn on the target’s microphone and record audio as well as encode the audio as MP3 and send it to InvisiMole’s command and control server.
This is indeed the more powerful of the two malware components. RC2CL is designed to support 84 backdoor commands. It also contains nearly all the functionalities typical for an advanced spyware tool. What are those capabilities?
– Running remote shell commands, manipulation of registry keys, execution of files, obtaining a list of local apps, loading driers, collecting information about the network, disabling User Account Control, turning off the Windows firewall, among others.
In addition to these capabilities, the RC2CL module is also capable of recording audio using the microphone and taking screenshots with the webcam.
The component however has some distinctive features such as the ability to safe-delete its own files once data collection is over. Of course, the self-deletion of files is important to counter forensics tools from recognizing shadow files on disk and discovering the type of information collected and sent by the spyware. This component can also turn itself into a proxy to aid the communications between the first module and the command and control server. This feature is considered unique as it hasn’t been detected in any other spyware strain.
In conclusion, InvisiMole is a fully-equipped piece of sophisticated spyware with a range of malicious capabilities .