SYMBOLCOMMON_NAMEaka. SYNONYMS
win.invisimole (Back to overview)

InvisiMole

VTCollection    

InvisiMole had a modular architecture, starting with a wrapper DLL, and performing its activities using two other modules that were embedded in its resources, named RC2FM and RC2CL. They were feature-rich backdoors and turned the affected computer into a video camera, letting the attackers to spy the victim.
The malicious actors behind this malware were active at least since 2013 in highly targeted campaigns with only a few dozen compromised computers in Ukraine and Russia. The wrapper DLL posed as a legitimate mpr.dll library and was placed in the same folder as explorer.exe, which made it being loaded during the Windows startup into the Windows Explorer process instead of the legitimate library.
Malware came in both 32-bit and 64-bit versions, which made this persistence technique functional on both architectures.

The smaller of the modules, RC2FM, contained a backdoor with fifteen supported commands indexed by numbers. The commands could perform simple changes on the system and spying features like capturing sounds, taking screenshots or monitoring all fixed and removable drives.

The second module, RC2CL, offered features for collecting as much data about the infected computer as possible, rather than for making system changes. The module supported up to 84 commands such as file system operations, file execution, registry key manipulation, remote shell activation, wireless network scanning, listing of installed software etc. Though the backdoor was capable of interfering with the system (e.g. to log off a user, terminate a process or shut down the system), it mostly provided passive operations. Whenever possible, it tried to hide its activities by restoring the original file access time or safe-deleting its traces.

References
2022-11-27cocomelonccocomelonc
Malware development tricks: part 24. ListPlanting. Simple C++ example.
InvisiMole
2022-08-18TrustwavePawel Knapczyk
Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-08-18TrustwavePawel Knapczyk
Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-01-11ESET ResearchMichal Poslušný
Signed kernel drivers – Unguarded gateway to Windows’ core
InvisiMole LoJax RobinHood Slingshot
2021-04-29ESET ResearchAndy Garth, Daniel Chromek, Matthieu Faou, Robert Lipovsky, Tony Anscombe
ESET Industry Report on Government: Targeted but not alone
Exaramel Crutch Exaramel HyperBro HyperSSL InvisiMole XDSpy
2020-06-18ESET ResearchAnton Cherepanov, Zuzana Hromcová
Digging up InvisiMole’s hidden arsenal
InvisiMole Gamaredon Group InvisiMole
2020-06-08ESET ResearchAnton Cherepanov, Zuzana Hromcová
InvisiMole: The Hidden Part of the Story - Unearthing InvisiMole's Espionage Toolset and Strategic Cooperations
InvisiMole RC2FM
2018-06-07ESET ResearchZuzana Hromcová
InvisiMole: Surprisingly equipped spyware, undercover since 2013
InvisiMole InvisiMole
Yara Rules
[TLP:WHITE] win_invisimole_auto (20230808 | Detects win.invisimole.)
rule win_invisimole_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.invisimole."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.invisimole"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 668945f0 8d863e020000 50 ffd7 33c9 668945f2 8d45f8 }
            // n = 7, score = 100
            //   668945f0             | mov                 word ptr [ebp - 0x10], ax
            //   8d863e020000         | lea                 eax, [esi + 0x23e]
            //   50                   | push                eax
            //   ffd7                 | call                edi
            //   33c9                 | xor                 ecx, ecx
            //   668945f2             | mov                 word ptr [ebp - 0xe], ax
            //   8d45f8               | lea                 eax, [ebp - 8]

        $sequence_1 = { 8d5590 52 50 e8???????? 83c40c 83f8ff 0f848df1ffff }
            // n = 7, score = 100
            //   8d5590               | lea                 edx, [ebp - 0x70]
            //   52                   | push                edx
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   83f8ff               | cmp                 eax, -1
            //   0f848df1ffff         | je                  0xfffff193

        $sequence_2 = { 0fb65714 83c448 6a01 8d45ff 50 56 8855ff }
            // n = 7, score = 100
            //   0fb65714             | movzx               edx, byte ptr [edi + 0x14]
            //   83c448               | add                 esp, 0x48
            //   6a01                 | push                1
            //   8d45ff               | lea                 eax, [ebp - 1]
            //   50                   | push                eax
            //   56                   | push                esi
            //   8855ff               | mov                 byte ptr [ebp - 1], dl

        $sequence_3 = { 6a01 8d45ff 50 56 c645ff33 }
            // n = 5, score = 100
            //   6a01                 | push                1
            //   8d45ff               | lea                 eax, [ebp - 1]
            //   50                   | push                eax
            //   56                   | push                esi
            //   c645ff33             | mov                 byte ptr [ebp - 1], 0x33

        $sequence_4 = { 8bec 83ec4c 53 56 8bf0 57 8d45b4 }
            // n = 7, score = 100
            //   8bec                 | mov                 ebp, esp
            //   83ec4c               | sub                 esp, 0x4c
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8bf0                 | mov                 esi, eax
            //   57                   | push                edi
            //   8d45b4               | lea                 eax, [ebp - 0x4c]

        $sequence_5 = { 47 83ff09 72d5 8b0d???????? 56 6a00 51 }
            // n = 7, score = 100
            //   47                   | inc                 edi
            //   83ff09               | cmp                 edi, 9
            //   72d5                 | jb                  0xffffffd7
            //   8b0d????????         |                     
            //   56                   | push                esi
            //   6a00                 | push                0
            //   51                   | push                ecx

        $sequence_6 = { 57 6860040000 33db 53 56 e8???????? a1???????? }
            // n = 7, score = 100
            //   57                   | push                edi
            //   6860040000           | push                0x460
            //   33db                 | xor                 ebx, ebx
            //   53                   | push                ebx
            //   56                   | push                esi
            //   e8????????           |                     
            //   a1????????           |                     

        $sequence_7 = { 8b45fc 50 a1???????? 6a00 50 ffd7 8b4308 }
            // n = 7, score = 100
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   50                   | push                eax
            //   a1????????           |                     
            //   6a00                 | push                0
            //   50                   | push                eax
            //   ffd7                 | call                edi
            //   8b4308               | mov                 eax, dword ptr [ebx + 8]

        $sequence_8 = { 8b45f4 8a5dfb 50 ff15???????? 8ac3 5f }
            // n = 6, score = 100
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   8a5dfb               | mov                 bl, byte ptr [ebp - 5]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8ac3                 | mov                 al, bl
            //   5f                   | pop                 edi

        $sequence_9 = { 53 e8???????? 8b75df 81fee6010000 0f8335050000 8a8746020000 0a4710 }
            // n = 7, score = 100
            //   53                   | push                ebx
            //   e8????????           |                     
            //   8b75df               | mov                 esi, dword ptr [ebp - 0x21]
            //   81fee6010000         | cmp                 esi, 0x1e6
            //   0f8335050000         | jae                 0x53b
            //   8a8746020000         | mov                 al, byte ptr [edi + 0x246]
            //   0a4710               | or                  al, byte ptr [edi + 0x10]

    condition:
        7 of them and filesize < 139264
}
Download all Yara Rules