A rarely used, but very powerful cyber-espionage malware with the ability to install backdoors, remotely execute code and grab sound and audio from the affected device has been discovered and analysed by ESET researchers.
InvisiMole is described as an effective piece of malware, but for all its usefulness ESET believes it has only been installed in a very few machines, this despite the strong possibility that it has been in the wild since 2013. ESET was able to date the malware by finding an early version with a PE timestamp reading Oct 13, 2013.
It was first picked up in May in computers based in Russia and Ukraine.
“The campaign is highly targeted – no wonder the malware has a low infection ratio, with only a few dozen computers being affected,” ESET noted.
The malware comes with a wrapper DLL with its nefarious activities being handled by two modules that have several overlapping capabilities. Each can create a backdoor and enable the attacker to have an almost total view of the computer's activities.
How InvisioMole is injected into the victimized computer is not yet known.
The wrapper DLL is compiled using the Free Pascal Compiler and placed in the Windows folder camouflaged as either a 32- or 64-bit mpr.dll library file.
The two accompanying modules, RC2FM and RC2CL, are loaded by the wrapper DLL into the explorer.exe process which helps keep it separate and thus hidden during normal operation.
The two modules contained within the malware somewhat confuse ESET. Researchers theorized that each could have been added over time to the malware bundle or that RC2FM, the smaller of the two, is used for recon purposes, but in the end, there is no way to truly know.
However, what each does do is known.
RC2FM contains a backdoor and can execute 15 supported commands when ordered to by its command and control server. These commands range from grabbing screenshots, engaging the microphone, open and close files, writing data to files and uploading new files.
Module RC2CL has very similar capabilities but is able to collect as much data as possible from the infected machine.
“Interestingly, there is an option in the RC2CL module to turn off its backdoor functionality and act as a proxy. In this case, the malware turns off the Windows firewall and creates a server that relays communication between a client and C&C server, or between two clients,” the researchers said.
It can also geolocate a victim by scanning for the SSID or MAC address of the device's connected WiFi point and comparing it to addresses kept public databases. And like the other module it has access to the mic and in this case also the camera so it can record audio and video of the owner and the local environment.