ESET security researchers have found a new and sophisticated malware dubbed “InvisiMole” which they say has been used since 2013 to perform targeted attacks both in Ukraine and Russia.
And while the researchers are yet to identify the origin of this malware, it is believed that such an advanced piece of software is mostly built for financially or nationally motivated attacks.
They base their evaluation on two factors: first that this malware has only been spotted in very few computers, and in sporadic cases to add.
Additionally, it also boasts a wide array of capabilities. Usually, such a type of malware does not only take quite a lot of time to build, but it is also not one established by typical cybercriminals—it is one developed for theft and stealth.
Other than its binary file, very little about this malware is known including the person or group behind it, how it operates, as well as the purpose it serves.
According to Zuzana Hromcová, a researcher at ESET, the investigations show that this malware has been active at least since 2013.
This is despite the fact that it has not previously been discovered or analyzed until ESET recently identified it on affected computers in both Russia and Ukraine.
Hromcová also added that the spyware can infiltrate its targets in any way conceivable, including installation through physical access to the device.
Similar to all malware used in conducting highly-targeted attacks, InvisiMole is without a majority of its clues that could potentially direct researchers back to the creators.
Besides the only file discovered, which surprisingly dates back to 2013, the malware has no compilation dates, since they have otherwise been replaced with zeros. This permanently eradicates all clues on its lifespan and timeline.
What’s more, this spyware is in itself a complex coding since it comprises two modules, each featuring exclusive spying features, and which can also work together to exfiltrate data.
The Milder Module
The first of the two InvisiMole modules is known as RC2FM. This is the smallest module and can only support 15 commands. It combines functions to modify the local system as well as to search and subsequently steal data.
Although it is not as sophisticated as its counterpart, it has notable features that include the capacity to extract proxy settings from browsers and utilize them in sending data to its control and command server in the event the local network settings inhibit it from communicating to its central server.
What’s more, it also has some distinct module commands that permit it to turn the microphone of the user, record audios, encode them as MP3s, and then send them to the C&C servers of the malware.
Finally, this module can also turn on the webcam of the user and take screenshots, as well as retrieve system information, monitor local drives, not to mention modifying system configurations.
The More Powerful Module
The second module is known as RC2CL and is the most advanced. The RC2CL has a larger capacity supporting 84 backdoor commands and features virtually all the abilities associated with typically sophisticated spyware.
This is inclusive of the ability to run remote shell commands, file execution, register key manipulations, acquiring a list of local apps, acquiring network information, loading drivers, turning the Windows firewall off, disabling UAC and much more.
Furthermore, the RC2CL can also compromise the user’s microphone and record audio, as well as take screenshots through the webcam—just like its counterpart.
This module, according to Hromcová, also boasts some exceptional features. One such is that it can “safe-delete” its files right after completing the collection of data.
This is a step it takes to ensure that forensic tools do not detect shadow files on the disk and identify precisely what the malware may have collected and sent to its central servers.
Additionally, the RC2CL module can transform into a proxy. This allows it to facilitate communication between the RC2FM (first module) and the C&C server of the attacker.
This is particularly unique because this characteristic is yet to be identified on other strains.
Overall, the main takeaway is that the InvisiMole spyware is highly dangerous and incredibly advanced.