In the world of malware, there are lots of advanced masterpieces that are able to hide its identity and perform illegal actions without any notification for a long time. This time, such a spyware is detected. Security researchers from ESET have recently discovered the spyware named “InvisiMole” that was on its job for the last 5 years!
InvisiMole spied on a very small number of targets in Ukraine and Russia. However, the origin of this malware is still not clear. It’s believed that it’s one of the advanced cyber-espionage tools that’s for financially motivated or nation-state hacks.
Such assessment is depending on its capability and the availability of such malware in the wild. InvisiMole infected only a few computers and consists of powerful abilities that generally takes months to properly develop. That’s why it isn’t suspected of being a work of any individual slash-and-grab cyber-criminal.
InvisiMole – very silent thief
Except for the binary files of the malware, there’s hardly any information on how it spreads, who’s behind the malware and where it’s in use.
According to ESET researcher Zuzana Hromcová, the telemetry data of the spyware indicates that the actor(s) behind the malware has been active since 2013 and wasn’t discovered until recently when ESET products detected it on compromised computers.
Unlike most other malware, this one has almost 0 clues about itself as most of the clues are wiped. That way, the actor(s) are safe of their identity. With exception of one file (dating to 13 October 2013), all other compilation dates were replaced with zeros.
InvisiMole modules
The malware consists of 2 intelligent modules with unique spying features for each.
-
RC2FM
This one is less capable and the smallest of the 2 modules. It supports only 15 commands with the power of altering the local system, search and steal data altogether. Some of the commands also allow turning on/off user’s microphone and webcam, record audio or take screenshots, monitor local drives, encode audio into MP3 and send back to the command and control server.
This module isn’t as advanced as the second one, but it has the ability to extract proxy information from the browsers and use that configuration for sending data to its command and control server.
-
RC2FL
This is more powerful of the 2 modules of InvisiMole, with support for 84 backdoor commands with the power of almost anything an advanced spyware can do.
The power includes running remote shell commands, file execution, registry key manipulation, extracting network info, disabling UAC, loading drivers and more. Like the first module, it can also take screenshots via the webcam and record audio.
According to Hromcová, this module is also able to safely delete its own file after the collection has taken place. Thus, it’s able to prevent forensic tools detecting any shadow files on disks.
Another unique feature is, RC2CL can turn into a proxy and enhance the communication between the first module and the C&C server.
Above all, it’s one of the most powerful spyware discovered till date and probably, the best one around the internet.
