InvisiMole Malware is a dangerous trojan virus that is used by nation-state backed perpetrators to infect computers. This malware is categorized as a spyware and is used to collect data and track user activities. The InvisiMole malware was designed as a cyber-espionage tool and has been infecting a limited number of systems in Ukraine and Russia.
Since this trojan has only infected a few systems, it has been able to stay hidden from detection for a period of 5 years. The timestamp on the files show that it has been active since October 2013. InvisiMole malware was first detected in May 2018 based on infected computers in Russia and Ukraine.
The attack is highly targeted that led the researchers to believe that it was planned and organized to spy on those targeted systems for a long period of time.
The modules in the InvisiMole Malware have been embedded in the wrapper DLL which contains two modules that are crucial to the infection. These two modules are the main feature rich-backdoor codes that function together and gather as much information about the target as possible.
It is still unknown about the methods used by malware developers to infect these systems. The physical installation of the InvisiMole malware is also possible considering that it has only infected a limited number of machines.
The InvisiMole Malware installs two modules with its wrapper DLL that act as the spyware. RC2FM and RC2CL are the main modules that conduct the functions through which the malware developers can spy the system.
The DLL wrapper creates a namesake file mpr.dll library file with a forged version info resource in the windows folder.
The malware is launched by two ways:
The first is by hijacking a DLL and launching the wrapper DLL during windows startup into the windows explorer process.
The second method used by the wrapper DLL is to export a function called GetDataLength. Before launching the payload into the system the malware confirms if this function was loaded by the rundll32.exe with the explorer.exe and svchost.exe as the parent process.
These methods are used by the InvisiMole malware to continue its persistence in the system. Regardless of its payload offloading methods the functions of the two modules is the same which is to spy on the user.
The InvisiMole malware protects itself from the eyes of the user by encrypting its strings, configuration data, internal files and network communication. The RC2FM module uses custom ciphers to decrypt other modules while the wrapper DLL and RC2CL module use the same routine for the purpose of decrypting other malware modules embedded in the wrapper DLL.
Module RC2FM Behavior
This is the smaller of the two modules embedded in the wrapper DLL. It contains a backdoor and supports 15 commands. This module communicates with the C&C servers via a proxy configured on the infected system. In the event where it can’t communicate directly with the C&C server it attempts to use the Portable executable files of various web browsers and using locally configured proxies.
After a successful connection with the C&C servers and registering the victims system, it goes on to download additional data, which is interpreted as backdoor commands on the local computer.
The RC2FM module is capable of listing basic system information and carrying out simple changes to the system while including the spyware features. When the attacker needs to gather information about the victim, they can enable the system’s audio and video capabilities. They can take screenshots of the system screen and compromise the privacy of the user.
This module has the capabilities to execute commands to open, modify, delete, close, change file timestamp etc., change registry keys and list out the information about the mapped drives.
Module RC2CL Behavior
The RC2CL module is also a backdoor with extensive spying abilities. It is launched parallel at same time as the wrapper DLL and the RC2CL module. This module is more capable then the RC2FM module in its spying abilities.
The RC2CL module has the capability to turn off its backdoor spying functionality and then behave as a proxy. After this it turns off windows firewall and creates a server to relay information to C&C servers from the client or between two client servers.
The RC2CL module of the InvisiMole Malware can perform about 84 commands that include support commands like file system operation, registry key manipulation; file execution or remote shell activation.
The malware can track information about SSID and MAC address of the visible Wi-Fi access points which it uses to geolocate the victim.
This module can also remotely activate the microphone and the camera of the system and spy on the victim and their surroundings.
User Account Control may be enabled or disabled by this module and work with files in the secure locations in the system without requiring any administrator privileges. It can create COM objects to delete and move files in the locations that need administrator rights.
Storage of collected Data
The malware stores the collected data in two places. A working directory and a working registry keys. The backdoor command diverts enough resources to manipulate these storage locations and their contents.
The working directory stores a legitimate copy of the WinRAR.exe application to easily compress the collected data and send it to the attackers.
Concluding thoughts
The InvisiMole malware could have become a huge threat due to is vast capabilities of spying and gathering information. But the attackers did not infect it in more than a dozen machines.
The malware deploys a few techniques to avoid detection and analysis, but since it attacked a few systems, it was able to avoid detection for almost half a decade.
Name – InvisiMole Malware
Category – Malware, Trojan, Spyware
Targeted Operating Systems – Windows XP, Windows Vista, Windows 7, Windows 8.0/8.1, Windows 10
Nature – Spies on the victim by using the microphone and camera, copies files in working directory and working registry keys and stays hidden.
The InvisiMole malware should be immediately removed from the system otherwise it will continue to spy on your system and you. You should follow the steps to remove InvisiMole Malware in sequence to delete it from the system without leaving any traces.
Use the best malware protection software to keep your PC risk free. Follow these steps to remove InvisiMole Malware properly and permanently.
Remove Proxy Server from Internet Settings.
Warning – Before making any changes In the Proxy Server Check with your Internet Service Provider
Checked Proxy Server Option (Image 1)
Unchecked Proxy server option (Image 2)
Checked Proxy Server Option (Image 1)
Unchecked Proxy server option (Image 2)
Remove the Programs allowed by Windows Firewall.
Restart System using Safe mode with Command Prompt
Once the system starts, ensure to use an account with administrative privilege to access Safe Mode with Command Prompt.
After the user enters admin credentials, Command prompt window is displayed wherein you are entitled to enter the below commands:
Restore your system files and settings
Continue to follow steps 4 & 5 of Method 2 to restore the System Files and settings.
Tips to prevent your computer system from getting infected –
Hits: 155
Subscribe to our newsletter today to receive updates on the Latest News and Threats.
Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.