SYMBOLCOMMON_NAMEaka. SYNONYMS
win.invisimole (Back to overview)

InvisiMole


InvisiMole had a modular architecture, starting with a wrapper DLL, and performing its activities using two other modules that were embedded in its resources, named RC2FM and RC2CL. They were feature-rich backdoors and turned the affected computer into a video camera, letting the attackers to spy the victim.
The malicious actors behind this malware were active at least since 2013 in highly targeted campaigns with only a few dozen compromised computers in Ukraine and Russia. The wrapper DLL posed as a legitimate mpr.dll library and was placed in the same folder as explorer.exe, which made it being loaded during the Windows startup into the Windows Explorer process instead of the legitimate library.
Malware came in both 32-bit and 64-bit versions, which made this persistence technique functional on both architectures.

The smaller of the modules, RC2FM, contained a backdoor with fifteen supported commands indexed by numbers. The commands could perform simple changes on the system and spying features like capturing sounds, taking screenshots or monitoring all fixed and removable drives.

The second module, RC2CL, offered features for collecting as much data about the infected computer as possible, rather than for making system changes. The module supported up to 84 commands such as file system operations, file execution, registry key manipulation, remote shell activation, wireless network scanning, listing of installed software etc. Though the backdoor was capable of interfering with the system (e.g. to log off a user, terminate a process or shut down the system), it mostly provided passive operations. Whenever possible, it tried to hide its activities by restoring the original file access time or safe-deleting its traces.

References
2021-04-29ESET ResearchRobert Lipovsky, Matthieu Faou, Tony Anscombe, Andy Garth, Daniel Chromek
@techreport{lipovsky:20210429:eset:ff67b6c, author = {Robert Lipovsky and Matthieu Faou and Tony Anscombe and Andy Garth and Daniel Chromek}, title = {{ESET Industry Report on Government: Targeted but not alone}}, date = {2021-04-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf}, language = {English}, urldate = {2021-05-03} } ESET Industry Report on Government: Targeted but not alone
Exaramel Crutch Exaramel HyperBro HyperSSL InvisiMole XDSpy
2020-06-18ESET ResearchZuzana Hromcová, Anton Cherepanov
@online{hromcov:20200618:digging:285d02f, author = {Zuzana Hromcová and Anton Cherepanov}, title = {{Digging up InvisiMole’s hidden arsenal}}, date = {2020-06-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/}, language = {English}, urldate = {2020-06-29} } Digging up InvisiMole’s hidden arsenal
InvisiMole Gamaredon Group InvisiMole
2020-06-08ESET ResearchZuzana Hromcová, Anton Cherepanov
@techreport{hromcov:20200608:invisimole:70a4dc1, author = {Zuzana Hromcová and Anton Cherepanov}, title = {{InvisiMole: The Hidden Part of the Story - Unearthing InvisiMole's Espionage Toolset and Strategic Cooperations}}, date = {2020-06-08}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf}, language = {English}, urldate = {2020-06-29} } InvisiMole: The Hidden Part of the Story - Unearthing InvisiMole's Espionage Toolset and Strategic Cooperations
InvisiMole RC2FM
2018-06-07ESET ResearchZuzana Hromcová
@online{hromcov:20180607:invisimole:5c5f0ed, author = {Zuzana Hromcová}, title = {{InvisiMole: Surprisingly equipped spyware, undercover since 2013}}, date = {2018-06-07}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/}, language = {English}, urldate = {2019-11-14} } InvisiMole: Surprisingly equipped spyware, undercover since 2013
InvisiMole InvisiMole
Yara Rules
[TLP:WHITE] win_invisimole_auto (20210616 | Detects win.invisimole.)
rule win_invisimole_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.invisimole."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.invisimole"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 51 8b4d0c 52 50 8b4508 51 e8???????? }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   52                   | push                edx
            //   50                   | push                eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_1 = { 0f8593000000 80bf5704000000 0f8586000000 8b570c 8b8748020000 6a00 8d8d2cffffff }
            // n = 7, score = 100
            //   0f8593000000         | jne                 0x99
            //   80bf5704000000       | cmp                 byte ptr [edi + 0x457], 0
            //   0f8586000000         | jne                 0x8c
            //   8b570c               | mov                 edx, dword ptr [edi + 0xc]
            //   8b8748020000         | mov                 eax, dword ptr [edi + 0x248]
            //   6a00                 | push                0
            //   8d8d2cffffff         | lea                 ecx, dword ptr [ebp - 0xd4]

        $sequence_2 = { 53 6a00 51 ff15???????? 8b15???????? 57 6a00 }
            // n = 7, score = 100
            //   53                   | push                ebx
            //   6a00                 | push                0
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   8b15????????         |                     
            //   57                   | push                edi
            //   6a00                 | push                0

        $sequence_3 = { 6a00 51 ffd7 e9???????? 48 7512 }
            // n = 6, score = 100
            //   6a00                 | push                0
            //   51                   | push                ecx
            //   ffd7                 | call                edi
            //   e9????????           |                     
            //   48                   | dec                 eax
            //   7512                 | jne                 0x14

        $sequence_4 = { 8b4508 8d48ff 83f90e 760a c786a4af060084af4000 }
            // n = 5, score = 100
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8d48ff               | lea                 ecx, dword ptr [eax - 1]
            //   83f90e               | cmp                 ecx, 0xe
            //   760a                 | jbe                 0xc
            //   c786a4af060084af4000     | mov    dword ptr [esi + 0x6afa4], 0x40af84

        $sequence_5 = { 837da400 7412 8b559c a1???????? 52 6a00 50 }
            // n = 7, score = 100
            //   837da400             | cmp                 dword ptr [ebp - 0x5c], 0
            //   7412                 | je                  0x14
            //   8b559c               | mov                 edx, dword ptr [ebp - 0x64]
            //   a1????????           |                     
            //   52                   | push                edx
            //   6a00                 | push                0
            //   50                   | push                eax

        $sequence_6 = { 52 ff15???????? e9???????? a1???????? 50 ffd7 8bf0 }
            // n = 7, score = 100
            //   52                   | push                edx
            //   ff15????????         |                     
            //   e9????????           |                     
            //   a1????????           |                     
            //   50                   | push                eax
            //   ffd7                 | call                edi
            //   8bf0                 | mov                 esi, eax

        $sequence_7 = { 52 b901000000 50 8bdf c68554ffffff02 66898d55ffffff }
            // n = 6, score = 100
            //   52                   | push                edx
            //   b901000000           | mov                 ecx, 1
            //   50                   | push                eax
            //   8bdf                 | mov                 ebx, edi
            //   c68554ffffff02       | mov                 byte ptr [ebp - 0xac], 2
            //   66898d55ffffff       | mov                 word ptr [ebp - 0xab], cx

        $sequence_8 = { 8b5dec 8b5508 50 8b07 6860ea0000 }
            // n = 5, score = 100
            //   8b5dec               | mov                 ebx, dword ptr [ebp - 0x14]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   50                   | push                eax
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   6860ea0000           | push                0xea60

        $sequence_9 = { 0f8516f5ffff 8b4f0c 8b5714 6a00 }
            // n = 4, score = 100
            //   0f8516f5ffff         | jne                 0xfffff51c
            //   8b4f0c               | mov                 ecx, dword ptr [edi + 0xc]
            //   8b5714               | mov                 edx, dword ptr [edi + 0x14]
            //   6a00                 | push                0

    condition:
        7 of them and filesize < 139264
}
Download all Yara Rules