InvisiMole Burrows into Targets with Rich Espionage Tools

Researchers are expressing concern over a versatile spyware called InvisiMole that has been spotted in highly targeted campaigns targeting Windows PCs in Russia and the Ukraine.

The malicious code, which comes in 32-bit and 64-bit versions, has a modular architecture, with two different, feature-rich backdoors that have overlapping functionality. Together they account for nearly 100 espionage functions. Some of these are more concerning than others. For instance, InvisiMole gives attackers access to a compromised PC’s video camera, so they can see and hear what’s going on in the victim’s location. In this way, adversaries can monitor the target’s activities and steal information, not to mention gain an understanding of the person’s physical environment, which could be used as reconnaissance for physical robberies.

According to ESET, the malicious actors behind this malware have been active at least since 2013. They add the cyber-espionage tool hasn’t been detected until it was recently found on compromised computers in Ukraine and Russia. The researchers aren’t sure how it spreads, but noted in an analysis posted last week that “all infection vectors are possible, including installation facilitated by physical access to the machine.”

They added that the malware uses only a few techniques to avoid detection and analysis, yet, “deployed against a very small number of high-value targets, it was able to stay under the radar for at least five years.”

A Bonanza of Bad Actions

Both the InvisiMole backdoor modules launch at the same time, and together represent extensive spying capabilities that the malware uses to tunnel deep into machines.

The RC2CL module is the more complex of the two, with extensive data reconnaissance functionality.

“Common backdoors often support commands such as file system operations, file execution, registry key manipulation or remote shell activation,” ESET researchers said. “This spyware supports all of these instructions and a whole lot more – its 84 commands provide the attackers with all they need to look at their victims more closely.”

Some of these commands include the ability to inspect the infected computer to lift system information such as lists of active processes, running services, loaded drivers or available drives, and the software installed on the compromised computer, including what’s executed automatically at each system start or user login.

The malware can also be instructed to search for recently-used documents or specific kinds of files, and it can monitor specific directories and removable devices, report any changes and exfiltrate files of the attackers’ choice.

It’s also interested in networking information, including the IP forward table and the speed of the internet connection. It can also scan enabled wireless networks to steal the the SSID and MAC address of the visible Wi-Fi access points.

“These data can then be compared to public databases, letting the attackers track the geolocation of the victim,” ESET noted.

In addition to collecting system and network information, RC2CL can remotely activate the victim’s webcam and microphone, taking pictures and recording sound. It can also capture screenshots, including separately capturing each window that’s open.

The other, smaller module, dubbed RC2FM, contains a backdoor with 15 supported commands. These include those used for listing basic system information and performing simple changes on the system, but it also has spy capabilities up its sleeve. For instance, it’s capable of remotely activating the microphone on the compromised computer and capturing sounds. The audio recordings are encoded to MP3 format using a legitimate lame.dll library. It also takes screenshots.

The other notable feature is that it also monitors all fixed and removable drives mapped on the local system. Whenever a new drive is inserted, it creates a list of all the files on the drive and stores it encrypted in a file.

“We can only wonder why the authors decided to use two modules with overlapping capabilities,” ESET researchers said. “One might think the smaller module, RC2FM, is used as an initial reconnaissance tool, while the bigger RC2CL module is only run on interesting targets. This is, however, not the case – both of the modules are launched simultaneously. Another possible explanation is that the modules might have been crafted by various authors and then bundled together to provide the malware operators a more complex range of functionalities.”

Digging Under the Radar

The malware, in order to maximize its spy functionality, is particularly careful not to trigger user notice. For instance, it comes in a wrapper DLL, compiled with the Free Pascal Compiler. This library drops into a Windows folder, masquerading as a legitimate mpr.dll library file with a forged name and version info.

From there, it has a few paths it can take to compromise. First, it can hijack a DLL.

“Being placed in the same folder as explorer.exe, the wrapper DLL is loaded during the Windows startup into the Windows Explorer process instead of the legitimate library located in the %windir%\system32 folder,” the researchers said.

It also has the ability to get at machines in other ways. For instance, the wrapper DLL exports a function called GetDataLength, ESET noted. When this function is called, the DLL checks its parent process.

“This suggests other possible persistence methods – by scheduling a task (i.e. having svchost.exe as a parent process) or by installation in a startup registry key (explorer.exe being the parent process),” researchers explained.

In any case, though the backdoor is capable of interfering with the system (e.g. to log off a user, terminate a process or shut down the system), it takes care not to disrupt the normal operation of the application, and thereby remain hidden.

The malware also protects itself from the prying eyes of administrators and analysts by encrypting its strings, internal files, configuration data and network communication.

“While the RC2FM module uses a handful of custom ciphers, the wrapper DLL and the RC2CL module share one particular routine for all purposes, especially for decrypting other malware modules embedded in the wrapper DLL,” researchers said.

And, it’s crafty: While the malware goes about inspecting files and reading or modifying files, it always restores the original file access or modification timestamp, so that the user is unaware of its operation.

It’s also fastidious when it comes to traces left on the disk. The malware collects its raft of sensitive data, which are then temporarily stored in files and deleted after they have been successfully uploaded to the C&C servers.

“Even the deleted files can, however, be recovered by an experienced system administrator, which could help further investigation of the attack – after the victim becomes aware of it,” the researchers said. “This is possible due to the fact that some data still reside on a disk even after a file is deleted. To prevent this, the malware has the ability to safe-delete all the files, which means it first overwrites the data in a file with zeroes or random bytes, and only then is the file deleted.”

The malware has so far been seen on a dozen or so machines, but ESET noted the victims are “high-value.” It’s likely this is one mole that won’t be eradicated from the scene that easily.