SYMBOLCOMMON_NAMEaka. SYNONYMS
win.invisimole (Back to overview)

InvisiMole

InvisiMole had a modular architecture, starting with a wrapper DLL, and performing its activities using two other modules that were embedded in its resources, named RC2FM and RC2CL. They were feature-rich backdoors and turned the affected computer into a video camera, letting the attackers to spy the victim.
The malicious actors behind this malware were active at least since 2013 in highly targeted campaigns with only a few dozen compromised computers in Ukraine and Russia. The wrapper DLL posed as a legitimate mpr.dll library and was placed in the same folder as explorer.exe, which made it being loaded during the Windows startup into the Windows Explorer process instead of the legitimate library.
Malware came in both 32-bit and 64-bit versions, which made this persistence technique functional on both architectures.

The smaller of the modules, RC2FM, contained a backdoor with fifteen supported commands indexed by numbers. The commands could perform simple changes on the system and spying features like capturing sounds, taking screenshots or monitoring all fixed and removable drives.

The second module, RC2CL, offered features for collecting as much data about the infected computer as possible, rather than for making system changes. The module supported up to 84 commands such as file system operations, file execution, registry key manipulation, remote shell activation, wireless network scanning, listing of installed software etc. Though the backdoor was capable of interfering with the system (e.g. to log off a user, terminate a process or shut down the system), it mostly provided passive operations. Whenever possible, it tried to hide its activities by restoring the original file access time or safe-deleting its traces.

References
2022-11-27cocomelonccocomelonc
@online{cocomelonc:20221127:malware:e3f9492, author = {cocomelonc}, title = {{Malware development tricks: part 24. ListPlanting. Simple C++ example.}}, date = {2022-11-27}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2022/11/27/malware-tricks-24.html}, language = {English}, urldate = {2022-11-28} } Malware development tricks: part 24. ListPlanting. Simple C++ example.
InvisiMole
2022-08-18TrustwavePawel Knapczyk
@online{knapczyk:20220818:overview:bf3eca2, author = {Pawel Knapczyk}, title = {{Overview of the Cyber Weapons Used in the Ukraine - Russia War}}, date = {2022-08-18}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/}, language = {English}, urldate = {2022-08-28} } Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-08-18TrustwavePawel Knapczyk
@online{knapczyk:20220818:overview:a12950c, author = {Pawel Knapczyk}, title = {{Overview of the Cyber Weapons Used in the Ukraine - Russia War}}, date = {2022-08-18}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war}, language = {English}, urldate = {2022-08-22} } Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-01-11ESET ResearchMichal Poslušný
@online{poslun:20220111:signed:1c59d41, author = {Michal Poslušný}, title = {{Signed kernel drivers – Unguarded gateway to Windows’ core}}, date = {2022-01-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/}, language = {English}, urldate = {2022-01-18} } Signed kernel drivers – Unguarded gateway to Windows’ core
InvisiMole LoJax RobinHood Slingshot
2021-04-29ESET ResearchRobert Lipovsky, Matthieu Faou, Tony Anscombe, Andy Garth, Daniel Chromek
@techreport{lipovsky:20210429:eset:ff67b6c, author = {Robert Lipovsky and Matthieu Faou and Tony Anscombe and Andy Garth and Daniel Chromek}, title = {{ESET Industry Report on Government: Targeted but not alone}}, date = {2021-04-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf}, language = {English}, urldate = {2021-05-03} } ESET Industry Report on Government: Targeted but not alone
Exaramel Crutch Exaramel HyperBro HyperSSL InvisiMole XDSpy
2020-06-18ESET ResearchZuzana Hromcová, Anton Cherepanov
@online{hromcov:20200618:digging:285d02f, author = {Zuzana Hromcová and Anton Cherepanov}, title = {{Digging up InvisiMole’s hidden arsenal}}, date = {2020-06-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/}, language = {English}, urldate = {2020-06-29} } Digging up InvisiMole’s hidden arsenal
InvisiMole Gamaredon Group InvisiMole
2020-06-08ESET ResearchZuzana Hromcová, Anton Cherepanov
@techreport{hromcov:20200608:invisimole:70a4dc1, author = {Zuzana Hromcová and Anton Cherepanov}, title = {{InvisiMole: The Hidden Part of the Story - Unearthing InvisiMole's Espionage Toolset and Strategic Cooperations}}, date = {2020-06-08}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf}, language = {English}, urldate = {2020-06-29} } InvisiMole: The Hidden Part of the Story - Unearthing InvisiMole's Espionage Toolset and Strategic Cooperations
InvisiMole RC2FM
2018-06-07ESET ResearchZuzana Hromcová
@online{hromcov:20180607:invisimole:5c5f0ed, author = {Zuzana Hromcová}, title = {{InvisiMole: Surprisingly equipped spyware, undercover since 2013}}, date = {2018-06-07}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/}, language = {English}, urldate = {2019-11-14} } InvisiMole: Surprisingly equipped spyware, undercover since 2013
InvisiMole InvisiMole
Yara Rules
[TLP:WHITE] win_invisimole_auto (20230125 | Detects win.invisimole.)
rule win_invisimole_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.invisimole."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.invisimole"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 894e38 75b0 33ff ff15???????? }
            // n = 4, score = 100
            //   894e38               | mov                 dword ptr [esi + 0x38], ecx
            //   75b0                 | jne                 0xffffffb2
            //   33ff                 | xor                 edi, edi
            //   ff15????????         |                     

        $sequence_1 = { c745f41e010000 c745f80f000000 8955fc e8???????? 8d88f4080000 894de4 8d88680e0000 }
            // n = 7, score = 100
            //   c745f41e010000       | mov                 dword ptr [ebp - 0xc], 0x11e
            //   c745f80f000000       | mov                 dword ptr [ebp - 8], 0xf
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   e8????????           |                     
            //   8d88f4080000         | lea                 ecx, [eax + 0x8f4]
            //   894de4               | mov                 dword ptr [ebp - 0x1c], ecx
            //   8d88680e0000         | lea                 ecx, [eax + 0xe68]

        $sequence_2 = { 8d45b0 50 8d4dc0 51 c745b001000000 8975b4 8975b8 }
            // n = 7, score = 100
            //   8d45b0               | lea                 eax, [ebp - 0x50]
            //   50                   | push                eax
            //   8d4dc0               | lea                 ecx, [ebp - 0x40]
            //   51                   | push                ecx
            //   c745b001000000       | mov                 dword ptr [ebp - 0x50], 1
            //   8975b4               | mov                 dword ptr [ebp - 0x4c], esi
            //   8975b8               | mov                 dword ptr [ebp - 0x48], esi

        $sequence_3 = { 8a84303d1d0000 0fb6f8 83ff1e 720a c786a4af060078af4000 8b450c 0fb74cb802 }
            // n = 7, score = 100
            //   8a84303d1d0000       | mov                 al, byte ptr [eax + esi + 0x1d3d]
            //   0fb6f8               | movzx               edi, al
            //   83ff1e               | cmp                 edi, 0x1e
            //   720a                 | jb                  0xc
            //   c786a4af060078af4000     | mov    dword ptr [esi + 0x6afa4], 0x40af78
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   0fb74cb802           | movzx               ecx, word ptr [eax + edi*4 + 2]

        $sequence_4 = { 3bc6 7530 6a00 8d4dec }
            // n = 4, score = 100
            //   3bc6                 | cmp                 eax, esi
            //   7530                 | jne                 0x32
            //   6a00                 | push                0
            //   8d4dec               | lea                 ecx, [ebp - 0x14]

        $sequence_5 = { 33c9 66837c43fe5c 66890c43 8d4c43fe 894df4 0f8551060000 b902000000 }
            // n = 7, score = 100
            //   33c9                 | xor                 ecx, ecx
            //   66837c43fe5c         | cmp                 word ptr [ebx + eax*2 - 2], 0x5c
            //   66890c43             | mov                 word ptr [ebx + eax*2], cx
            //   8d4c43fe             | lea                 ecx, [ebx + eax*2 - 2]
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   0f8551060000         | jne                 0x657
            //   b902000000           | mov                 ecx, 2

        $sequence_6 = { 3b4628 7213 c7461400000300 b800000002 5f 5e 5b }
            // n = 7, score = 100
            //   3b4628               | cmp                 eax, dword ptr [esi + 0x28]
            //   7213                 | jb                  0x15
            //   c7461400000300       | mov                 dword ptr [esi + 0x14], 0x30000
            //   b800000002           | mov                 eax, 0x2000000
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_7 = { 8b8d78fcffff 8b9598fdffff 51 52 50 e8???????? 6860030000 }
            // n = 7, score = 100
            //   8b8d78fcffff         | mov                 ecx, dword ptr [ebp - 0x388]
            //   8b9598fdffff         | mov                 edx, dword ptr [ebp - 0x268]
            //   51                   | push                ecx
            //   52                   | push                edx
            //   50                   | push                eax
            //   e8????????           |                     
            //   6860030000           | push                0x360

        $sequence_8 = { 83ec10 8d45f0 50 8d4d10 51 ff15???????? }
            // n = 6, score = 100
            //   83ec10               | sub                 esp, 0x10
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax
            //   8d4d10               | lea                 ecx, [ebp + 0x10]
            //   51                   | push                ecx
            //   ff15????????         |                     

        $sequence_9 = { 33d2 83c420 84c0 0f95c2 8d5412ff 8955fc }
            // n = 6, score = 100
            //   33d2                 | xor                 edx, edx
            //   83c420               | add                 esp, 0x20
            //   84c0                 | test                al, al
            //   0f95c2               | setne               dl
            //   8d5412ff             | lea                 edx, [edx + edx - 1]
            //   8955fc               | mov                 dword ptr [ebp - 4], edx

    condition:
        7 of them and filesize < 139264
}
Download all Yara Rules