SYMBOLCOMMON_NAMEaka. SYNONYMS
win.invisimole (Back to overview)

InvisiMole


InvisiMole had a modular architecture, starting with a wrapper DLL, and performing its activities using two other modules that were embedded in its resources, named RC2FM and RC2CL. They were feature-rich backdoors and turned the affected computer into a video camera, letting the attackers to spy the victim.
The malicious actors behind this malware were active at least since 2013 in highly targeted campaigns with only a few dozen compromised computers in Ukraine and Russia. The wrapper DLL posed as a legitimate mpr.dll library and was placed in the same folder as explorer.exe, which made it being loaded during the Windows startup into the Windows Explorer process instead of the legitimate library.
Malware came in both 32-bit and 64-bit versions, which made this persistence technique functional on both architectures.

The smaller of the modules, RC2FM, contained a backdoor with fifteen supported commands indexed by numbers. The commands could perform simple changes on the system and spying features like capturing sounds, taking screenshots or monitoring all fixed and removable drives.

The second module, RC2CL, offered features for collecting as much data about the infected computer as possible, rather than for making system changes. The module supported up to 84 commands such as file system operations, file execution, registry key manipulation, remote shell activation, wireless network scanning, listing of installed software etc. Though the backdoor was capable of interfering with the system (e.g. to log off a user, terminate a process or shut down the system), it mostly provided passive operations. Whenever possible, it tried to hide its activities by restoring the original file access time or safe-deleting its traces.

References
2022-11-27cocomelonccocomelonc
@online{cocomelonc:20221127:malware:e3f9492, author = {cocomelonc}, title = {{Malware development tricks: part 24. ListPlanting. Simple C++ example.}}, date = {2022-11-27}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2022/11/27/malware-tricks-24.html}, language = {English}, urldate = {2022-11-28} } Malware development tricks: part 24. ListPlanting. Simple C++ example.
InvisiMole
2022-08-18TrustwavePawel Knapczyk
@online{knapczyk:20220818:overview:bf3eca2, author = {Pawel Knapczyk}, title = {{Overview of the Cyber Weapons Used in the Ukraine - Russia War}}, date = {2022-08-18}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/}, language = {English}, urldate = {2022-08-28} } Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-08-18TrustwavePawel Knapczyk
@online{knapczyk:20220818:overview:a12950c, author = {Pawel Knapczyk}, title = {{Overview of the Cyber Weapons Used in the Ukraine - Russia War}}, date = {2022-08-18}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war}, language = {English}, urldate = {2022-08-22} } Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-01-11ESET ResearchMichal Poslušný
@online{poslun:20220111:signed:1c59d41, author = {Michal Poslušný}, title = {{Signed kernel drivers – Unguarded gateway to Windows’ core}}, date = {2022-01-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/}, language = {English}, urldate = {2022-01-18} } Signed kernel drivers – Unguarded gateway to Windows’ core
InvisiMole LoJax RobinHood Slingshot
2021-04-29ESET ResearchRobert Lipovsky, Matthieu Faou, Tony Anscombe, Andy Garth, Daniel Chromek
@techreport{lipovsky:20210429:eset:ff67b6c, author = {Robert Lipovsky and Matthieu Faou and Tony Anscombe and Andy Garth and Daniel Chromek}, title = {{ESET Industry Report on Government: Targeted but not alone}}, date = {2021-04-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf}, language = {English}, urldate = {2021-05-03} } ESET Industry Report on Government: Targeted but not alone
Exaramel Crutch Exaramel HyperBro HyperSSL InvisiMole XDSpy
2020-06-18ESET ResearchZuzana Hromcová, Anton Cherepanov
@online{hromcov:20200618:digging:285d02f, author = {Zuzana Hromcová and Anton Cherepanov}, title = {{Digging up InvisiMole’s hidden arsenal}}, date = {2020-06-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/}, language = {English}, urldate = {2020-06-29} } Digging up InvisiMole’s hidden arsenal
InvisiMole Gamaredon Group InvisiMole
2020-06-08ESET ResearchZuzana Hromcová, Anton Cherepanov
@techreport{hromcov:20200608:invisimole:70a4dc1, author = {Zuzana Hromcová and Anton Cherepanov}, title = {{InvisiMole: The Hidden Part of the Story - Unearthing InvisiMole's Espionage Toolset and Strategic Cooperations}}, date = {2020-06-08}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf}, language = {English}, urldate = {2020-06-29} } InvisiMole: The Hidden Part of the Story - Unearthing InvisiMole's Espionage Toolset and Strategic Cooperations
InvisiMole RC2FM
2018-06-07ESET ResearchZuzana Hromcová
@online{hromcov:20180607:invisimole:5c5f0ed, author = {Zuzana Hromcová}, title = {{InvisiMole: Surprisingly equipped spyware, undercover since 2013}}, date = {2018-06-07}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/}, language = {English}, urldate = {2019-11-14} } InvisiMole: Surprisingly equipped spyware, undercover since 2013
InvisiMole InvisiMole
Yara Rules
[TLP:WHITE] win_invisimole_auto (20221125 | Detects win.invisimole.)
rule win_invisimole_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.invisimole."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.invisimole"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 53 ff15???????? 53 ff15???????? 85c0 0f84fc000000 8d44243c }
            // n = 7, score = 100
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f84fc000000         | je                  0x102
            //   8d44243c             | lea                 eax, [esp + 0x3c]

        $sequence_1 = { c745f41e010000 c745f80f000000 8955fc e8???????? 8d88f4080000 894de4 8d88680e0000 }
            // n = 7, score = 100
            //   c745f41e010000       | mov                 dword ptr [ebp - 0xc], 0x11e
            //   c745f80f000000       | mov                 dword ptr [ebp - 8], 0xf
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   e8????????           |                     
            //   8d88f4080000         | lea                 ecx, [eax + 0x8f4]
            //   894de4               | mov                 dword ptr [ebp - 0x1c], ecx
            //   8d88680e0000         | lea                 ecx, [eax + 0xe68]

        $sequence_2 = { 85d2 740b 50 8b4704 }
            // n = 4, score = 100
            //   85d2                 | test                edx, edx
            //   740b                 | je                  0xd
            //   50                   | push                eax
            //   8b4704               | mov                 eax, dword ptr [edi + 4]

        $sequence_3 = { 89442428 8944242c e8???????? 83c408 84c0 0f84ac000000 8b442418 }
            // n = 7, score = 100
            //   89442428             | mov                 dword ptr [esp + 0x28], eax
            //   8944242c             | mov                 dword ptr [esp + 0x2c], eax
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   84c0                 | test                al, al
            //   0f84ac000000         | je                  0xb2
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]

        $sequence_4 = { c745e01cb04000 c745e428b04000 c745e834b04000 c745ec40b04000 c745f04cb04000 }
            // n = 5, score = 100
            //   c745e01cb04000       | mov                 dword ptr [ebp - 0x20], 0x40b01c
            //   c745e428b04000       | mov                 dword ptr [ebp - 0x1c], 0x40b028
            //   c745e834b04000       | mov                 dword ptr [ebp - 0x18], 0x40b034
            //   c745ec40b04000       | mov                 dword ptr [ebp - 0x14], 0x40b040
            //   c745f04cb04000       | mov                 dword ptr [ebp - 0x10], 0x40b04c

        $sequence_5 = { ff15???????? 8b550c 57 8902 ff15???????? 8b4d08 5f }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]
            //   57                   | push                edi
            //   8902                 | mov                 dword ptr [edx], eax
            //   ff15????????         |                     
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   5f                   | pop                 edi

        $sequence_6 = { ff15???????? 85c0 0f84ae010000 a1???????? 6808020000 6a08 50 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f84ae010000         | je                  0x1b4
            //   a1????????           |                     
            //   6808020000           | push                0x208
            //   6a08                 | push                8
            //   50                   | push                eax

        $sequence_7 = { 8b0d???????? 50 6a08 51 ffd7 8bf8 }
            // n = 6, score = 100
            //   8b0d????????         |                     
            //   50                   | push                eax
            //   6a08                 | push                8
            //   51                   | push                ecx
            //   ffd7                 | call                edi
            //   8bf8                 | mov                 edi, eax

        $sequence_8 = { 8b5a08 8d8d78fbffff 8d7c0002 51 e8???????? 83c404 84c0 }
            // n = 7, score = 100
            //   8b5a08               | mov                 ebx, dword ptr [edx + 8]
            //   8d8d78fbffff         | lea                 ecx, [ebp - 0x488]
            //   8d7c0002             | lea                 edi, [eax + eax + 2]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   84c0                 | test                al, al

        $sequence_9 = { 6a01 8d45ff 50 57 8855ff e8???????? 0fb64e06 }
            // n = 7, score = 100
            //   6a01                 | push                1
            //   8d45ff               | lea                 eax, [ebp - 1]
            //   50                   | push                eax
            //   57                   | push                edi
            //   8855ff               | mov                 byte ptr [ebp - 1], dl
            //   e8????????           |                     
            //   0fb64e06             | movzx               ecx, byte ptr [esi + 6]

    condition:
        7 of them and filesize < 139264
}
Download all Yara Rules