InvisiMole Spyware is Used in Highly-Targeted Cyber-Espionage Attacks

Delaware, USA ā€“ June 12, 2018 ā€“ Experts from ESET discovered sophisticated spyware used in a long-term cyber-espionage campaign. Attackers used InvisiMole since 2013 and Malware remained undetected all this time due to highly targeted attacks. Methods of infection are still unknown, at the moment the researchers continue their investigation. InvisiMole is a modular malware with a wide range of features that help to avoid detection and analysis, and spy on the user for a long time. Its two main modules are backdoors. The first one – RC2FM – supports fifteen commands. Among other things, the module is capable of extracting proxy settings from portable browsers, recording audio via microphone and generate a list of all files on all disks for subsequent sending to the command and control server. The second module – RC2CL – supports 84 commands and allows attackers to control the infected system completely. Also, this module complicates forensics by the safe-deleting of files and can act as a proxy for the first module.

InvisiMole is a very powerful tool in the hands of unknown attackers who unnoticeably infected 64-bit and 32-bit versions of Windows. SIEM and specialized use cases can detect data exfiltration attempts and suspicious activity on assets. Netflow Security Monitor helps your SIEM to detect suspicious traffic surges, and Sysmon Framework enables identifying APT activity at an early stage of the attack.
You can also leverage Sigma rule based on IOCs from ESET to uncover traces of InvisiMole in your organization’s network: https://tdm.socprime.com/sigma/generate/MgLA82MBqfpvXJhTtg1h/