InvisiMole

InvisiMole is a modular spyware program that has been used by threat actors since at least 2013. InvisiMole has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. [1]

ID: S0260
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1087Account DiscoveryInvisiMole has a command to list account information on the victim’s machine.[1]
EnterpriseT1123Audio CaptureInvisiMole can record sound using input audio devices.[1]
EnterpriseT1119Automated CollectionEach time a new drive is inserted, InvisiMole generates a list of all files on the drive and stores it in an encrypted file.[1]
EnterpriseT1088Bypass User Account ControlInvisiMole can bypass UAC and create an elevated COM object to escalate privileges.[1]
EnterpriseT1059Command-Line InterfaceInvisiMole can launch a remote shell to execute commands.[1]
EnterpriseT1043Commonly Used PortInvisiMole uses port 80 for C2.[1]
EnterpriseT1090Connection ProxyInvisiMole can function as a proxy to create a serve that relays communication between the client and C&C server.[1]
EnterpriseT1094Custom Command and Control ProtocolInvisiMole communicates with its C2 servers through a TCP socket.[1]
EnterpriseT1024Custom Cryptographic ProtocolInvisiMole uses variations of a simple XOR encryption routine for C&C communications.[1]
EnterpriseT1002Data CompressedInvisiMole uses WinRAR to compress data that is intended to be exfiltrated.[1]
EnterpriseT1022Data EncryptedInvisiMole uses a variation of the XOR cipher to encrypt files before exfiltration.[1]
EnterpriseT1074Data StagedInvisiMole determines a working directory where it stores all the gathered data about the compromised machine.[1]
EnterpriseT1140Deobfuscate/Decode Files or InformationInvisiMole can decrypt, unpack and load a DLL from its resources.[1]
EnterpriseT1089Disabling Security ToolsInvisiMole has a command to disable routing and the Firewall on the victim’s machine.[1]
EnterpriseT1038DLL Search Order HijackingInvisiMole can be launched by using DLL search order hijacking in which the wrapper DLL is placed in the same folder as explorer.exe and loaded during startup into the Windows Explorer process instead of the legitimate library.[1]
EnterpriseT1083File and Directory DiscoveryInvisiMole can lists information about files in a directory.[1]
EnterpriseT1107File DeletionInvisiMole has a command to delete a file and deletes files after they have been successfully uploaded to C2 servers.[1]
EnterpriseT1036MasqueradingInvisiMole saves one of its files as mpr.dll in the Windows folder, masquerading as a legitimate library file.[1]
EnterpriseT1112Modify RegistryInvisiMole has a command to create, set, copy, or delete a specified Registry key or value.[1]
EnterpriseT1135Network Share DiscoveryInvisiMole can gather network share information.[1]
EnterpriseT1027Obfuscated Files or InformationInvisiMole avoids analysis by encrypting all strings, internal files, configuration data.[1]
EnterpriseT1057Process DiscoveryInvisiMole obtains a list of running processes.[1]
EnterpriseT1012Query RegistryInvisiMole can enumerate Registry values, keys, and data.[1]
EnterpriseT1105Remote File CopyInvisiMole can upload files to the victim's machine for operations.[1]
EnterpriseT1113Screen CaptureInvisiMole can capture screenshots of not only the entire screen, but of each separate window open, in case they are overlapping.[1]
EnterpriseT1071Standard Application Layer ProtocolInvisiMole uses HTTP for C2 communications.[1]
EnterpriseT1082System Information DiscoveryInvisiMole can gather information on the mapped drives, OS version, computer name, and memory size.[1]
EnterpriseT1016System Network Configuration DiscoveryInvisiMole gathers informatin on the IP forwarding table, MAC address, and network SSID.[1]
EnterpriseT1033System Owner/User DiscoveryInvisiMole lists local users and session information.[1]
EnterpriseT1007System Service DiscoveryInvisiMole can obtain running services on the victim.[1]
EnterpriseT1124System Time DiscoveryInvisiMole gathers the local system time from the victim’s machine.[1]
EnterpriseT1099TimestompInvisiMole samples were timestomped by the authors by setting the PE timestamps to all zero values. InvisiMole also has a built-in command to modify file times.[1]
EnterpriseT1125Video CaptureInvisiMole can remotely activate the victim’s webcam to capture content.[1]

References