InvisiMole Malware spyware Trojan
Trojan | 06/12/2018

How to remove InvisiMole Malware from the computer?

About: InvisiMole Malware is categorized as a spyware trojan. This malware uses a wrapper DLL embedded with two modules that have the capabilities of spying on the user and their system using the microphone and the camera of the PC. Remove InvisiMole Malwar...  Read More  

| Trojan | How to remove InvisiMole Malware from the computer?

How to remove InvisiMole Malware from the computer?

What is InvisiMole Malware?

InvisiMole Malware is a dangerous trojan virus that is used by nation-state backed perpetrators to infect computers. This malware is categorized as a spyware and is used to collect data and track user activities. The InvisiMole malware was designed as a cyber-espionage tool and has been infecting a limited number of systems in Ukraine and Russia.

Since this trojan has only infected a few systems, it has been able to stay hidden from detection for a period of 5 years. The timestamp on the files show that it has been active since October 2013. InvisiMole malware was first detected in May 2018 based on infected computers in Russia and Ukraine.

The attack is highly targeted that led the researchers to believe that it was planned and organized to spy on those targeted systems for a long period of time.

The modules in the InvisiMole Malware have been embedded in the wrapper DLL which contains two modules that are crucial to the infection. These two modules are the main feature rich-backdoor codes that function together and gather as much information about the target as possible.

It is still unknown about the methods used by malware developers to infect these systems. The physical installation of the InvisiMole malware is also possible considering that it has only infected a limited number of machines.

InvisiMole Malware – Threat Behavior

The InvisiMole Malware installs two modules with its wrapper DLL that act as the spyware. RC2FM and RC2CL are the main modules that conduct the functions through which the malware developers can spy the system.

The DLL wrapper creates a namesake file mpr.dll library file with a forged version info resource in the windows folder.

The malware is launched by two ways:

The first is by hijacking a DLL and launching the wrapper DLL during windows startup into the windows explorer process.

The second method used by the wrapper DLL is to export a function called GetDataLength. Before launching the payload into the system the malware confirms if this function was loaded by the rundll32.exe with the explorer.exe and svchost.exe as the parent process.

These methods are used by the InvisiMole malware to continue its persistence in the system. Regardless of its payload offloading methods the functions of the two modules is the same which is to spy on the user.

The InvisiMole malware protects itself from the eyes of the user by encrypting its strings, configuration data, internal files and network communication. The RC2FM module uses custom ciphers to decrypt other modules while the wrapper DLL and RC2CL module use the same routine for the purpose of decrypting other malware modules embedded in the wrapper DLL.

Module RC2FM Behavior

This is the smaller of the two modules embedded in the wrapper DLL. It contains a backdoor and supports 15 commands. This module communicates with the C&C servers via a proxy configured on the infected system. In the event where it can’t communicate directly with the C&C server it attempts to use the Portable executable files of various web browsers and using locally configured proxies.

After a successful connection with the C&C servers and registering the victims system, it goes on to download additional data, which is interpreted as backdoor commands on the local computer.

The RC2FM module is capable of listing basic system information and carrying out simple changes to the system while including the spyware features. When the attacker needs to gather information about the victim, they can enable the system’s audio and video capabilities. They can take screenshots of the system screen and compromise the privacy of the user.

This module has the capabilities to execute commands to open, modify, delete, close, change file timestamp etc., change registry keys and list out the information about the mapped drives.

Module RC2CL Behavior

The RC2CL module is also a backdoor with extensive spying abilities. It is launched parallel at same time as the wrapper DLL and the RC2CL module. This module is more capable then the RC2FM module in its spying abilities.

The RC2CL module has the capability to turn off its backdoor spying functionality and then behave as a proxy. After this it turns off windows firewall and creates a server to relay information to C&C servers from the client or between two client servers.

The RC2CL module of the InvisiMole Malware can perform about 84 commands that include support commands like file system operation, registry key manipulation; file execution or remote shell activation.

The malware can track information about SSID and MAC address of the visible Wi-Fi access points which it uses to geolocate the victim.

This module can also remotely activate the microphone and the camera of the system and spy on the victim and their surroundings.

User Account Control may be enabled or disabled by this module and work with files in the secure locations in the system without requiring any administrator privileges. It can create COM objects to delete and move files in the locations that need administrator rights.

Storage of collected Data

The malware stores the collected data in two places. A working directory and a working registry keys. The backdoor command diverts enough resources to manipulate these storage locations and their contents.

The working directory stores a legitimate copy of the WinRAR.exe application to easily compress the collected data and send it to the attackers.

Concluding thoughts

The InvisiMole malware could have become a huge threat due to is vast capabilities of spying and gathering information. But the attackers did not infect it in more than a dozen machines.

The malware deploys a few techniques to avoid detection and analysis, but since it attacked a few systems, it was able to avoid detection for almost half a decade.

Threat Summary

Name – InvisiMole Malware

Category – Malware, Trojan, Spyware

Targeted Operating Systems – Windows XP, Windows Vista, Windows 7, Windows 8.0/8.1, Windows 10

Nature – Spies on the victim by using the microphone and camera, copies files in working directory and working registry keys and stays hidden.

How to Remove InvisiMole Malware?

The InvisiMole malware should be immediately removed from the system otherwise it will continue to spy on your system and you. You should follow the steps to remove InvisiMole Malware in sequence to delete it from the system without leaving any traces.

Use the best malware protection software to keep your PC risk free. Follow these steps to remove InvisiMole Malware properly and permanently.

STEP A – Remove the InvisiMole Malware from the system configuration.

  1. Type “Msconfig” in search box / Run Box, select it and press Enter.
  2. Click on “Services” Tab and click on “Hide all Microsoft services”.
  3. Select InvisiMole Malware from the list of remaining services and disable it by removing the tick mark from the checkbox and click on Apply button.

Windows 7

  1. Click on the next tab – “Startup”.
  2. Find any blank or suspicious entry or the entry with InvisiMole Malware mentioned and remove the check mark.
  3. Click on Apply button and then click on OK.

Windows 10

  1. Click on the next tab – “Startup”.
  2. Take the mouse cursor to ‘Open task Manager‘ link and click on it.  This opens the Task Manager window.
  3. Find any blank or suspicious entry or the entry with InvisiMole Malware mentioned and click on it.
  4. Then click on Disable button.

STEP B – Remove the Proxy servers created by InvisiMole malware in the System.

Remove Proxy Server from Internet Settings.

Warning – Before making any changes In the Proxy Server Check with your Internet Service Provider

FOR WINDOWS 7

  1. Click on Start Button on the desktop.
  2. Type ‘inetcpl.cpl’ in the search bar.inetcpl.cpl
  3. Click on the ‘inetcpl.cpl’ program.
  4. It will open the internet properties dialog box.internet settings
  5. Click on the connections tab in the internet dialog box.Connections tab in internet settings
  6. Click and Remove any Virtual Private Network Settings that are related to InvisiMole Malware.
  7. Lan settings in internet settings
  8. Now click on the LAN Settings Button in the connections tab.
  9. Uncheck the Proxy server option and use the Automatic Configuration for your Internet Settings.Proxy server

Checked Proxy Server Option (Image 1)

Proxy server unchecked

Unchecked Proxy server option (Image 2)

 

FOR WINDOWS 10

  1. Type ‘inetcpl.cpl’ in the search bar.Lan settings in internet settings
  2. Click on the ‘inetcpl.cpl’ program.
  3. It will open the internet properties dialog box.Click on the connections tab in the internet dialog box.
  4. Internet Settings dialog box for windows 10
  5. Click and Remove any Virtual Private Network Settings that are related to InvisiMole Malware.Connections tab in internet settings for windows 10
  6. Now click on the LAN Settings Button in the connectionsLAN settings in Internet Settings dialog box for Windows 10
  7. Uncheck the Proxy server option and use the Automatic Configuration for your Internet Settings.Proxy server checked for windows 10

Checked Proxy Server Option (Image 1)

Proxy Server unchecked in Windows 10

Unchecked Proxy server option (Image 2)

STEP C – Remove the InvisiMole Malware from the allowed software list in the Windows firewall.

Remove the Programs allowed by Windows Firewall.

FOR WINDOWS 7

  1. Click on the ‘Start’ button on the taskbar. This will open the Start menu.control panel option
  2. Click on the ‘Control Panel’ button in the Start menu. It will open the control panel dialog box.
  3. In the Control Panel dialog box click on the ‘View by:’ button on the top right. Select the Large Icon option.Control panel dialog boxWindows Firewall option in control panel
  4. Click on the Windows Firewall icon. This will open the Windows Firewall dialog box.Windows Firewall allow program option
  5. Click On ‘Allow a Program or feature through Windows FirewallChange Settings Windows firewall
  6. Now click on ‘Change Settings’.Remove from list
  7. Uncheck the programs related to InvisiMole Malware from the list.
  8. Close the window.

FOR WINDOWS 10

  1. Type ‘Control Panel’ in the search box present in the task bar.control panel windows 10
  2. Click on the ‘Control Panel’ option. It will open the control panel dialog box.
  3. In the Control Panel dialog box click on the ‘View by:’ button on the top right. Select the Large Icon option.Control Panel Dialog box for Windows 10
  4. Click on the Windows Defender Firewall icon. This will open the Windows Firewall dialog box.Windows defender firewall for windows 10allow program windows defender firewall
  5. Click On ‘Allow a Program or feature through Windows Defender Firewall’.Change settings windows defender firewall for windows 10
  6. Now click on ‘Change Settings’.remove from list
  7. Uncheck the programs related to InvisiMole Malware from the list.
  8. Close the window.

STEP D – Remove the service Created by InvisiMole Malware by restarting the system in Safe Mode with command prompt.

Restart System using Safe mode with Command Prompt

Windows 7/ Vista/ XP

  1. Click on Windows icon present in the lower left corner of the computer screen.
  2. Select and click Restart.
  3. When the screen goes blank, keep tapping F8 key until you see the Advanced Boot Options window.
  4. With the help of arrow keys on keyboard, Select Safe Mode with Command Prompt from the list and press the Enter Key. The system will then restart to Safe Mode with Command Prompt.
  5. Click on the username and enter the password (if any).

Windows 10 / Windows 8

  1. Press and hold the Shift Key and simultaneously click on the windows icon present in the lower left corner of your computer screen.
  2. While the Shift key is still pressed click on the Power button and then click on Restart.
  3. Now select Troubleshoot → Advanced options → Startup Settings.
  4. When the Startup Settings screen appears which is the first screen to appear after restart, select and click on Enable Safe Mode with Command Prompt. The system will then restart to Safe Mode with Command Prompt.
  5. Click on the username and enter the password.

Once the system starts, ensure to use an account with administrative privilege to access Safe Mode with Command Prompt.

After the user enters admin credentials, Command prompt window is displayed wherein you are entitled to enter the below commands:

  1. Type the command “sc delete InvisiMole Malware” in the command prompt and press Enter.
  2. Type “exit” to exit the command prompt and restart the system in safe mode with command prompt.

 

STEP E – Restore the system files and settings changed by InvisiMole Malware using System Restore.

Restore your system files and settings

Method 1 using Control Panel

  1. Click on the ‘Start’ button on the taskbar. This will open the Start menu.
  2. Click on the ‘Control Panel’ button in the Start menu. This will open the control panel window.
  3. In the Control Panel window, click on the ‘View by:’ button on the top right. Select the Large Icon option
  4. In the control Panel window click on the ‘Recovery Icon’. This will open a window that will ask ‘Restore the computer to an earlier point in time’.
  5. Click on the ‘Open system restore’ button. This will open the ‘system restore ’window where you need to click on the Next Button.
  6.  Select the restore point that is prior the infiltration of InvisiMole Malware. After doing that, click Next.
  7. This will open the ‘Confirm your restore point’ dialog box. Click on Finish button. This will restore your system to a previous restore point before your system was infected by……………….

Method 2 using Command Prompt

  1. Type cmd in the search box and click on the command prompt to open the Command Prompt window. box and clicking on it.
  2. Once the Command Prompt window shows up, enter cd restore and click Enter.(Ensure that you in the system32 directory of Windows folder in C Drive)
  3. Now type rstrui and press Enter again.
  4. When a new window shows up, click Next and select your restore point that is prior the infiltration of InvisiMole Malware. After doing that, click Next.
  5. This will open the ‘Confirm your restore point’ dialog box. Click on Finish button. This will restore your system to a previous restore point before your system was infected by InvisiMole Malware.

 

Method 3 : Directly type 'rstrui' in the search box

  1. Type ‘Rstrui’ in the search box present on the task bar. This will open the System restore dialog box.

Continue to follow steps 4 & 5 of Method 2 to restore the System Files and settings.

Tips to prevent your computer system from getting infected –

  1. Keeping the Operating System Updated- In order to remain protected and avoid such infections, it is recommended to keep your Operating System updated by enabling the automatic update on your system. The systems with outdated or older versions of Operating System become an easy target for the attackers.
  2. Resist clicking on spam emails – One of the major techniques used for malware distribution is forwarding spam emails to the user. The system gets infected as soon as the user clicks on the attachment. These mails appear to be genuine, so be aware and resist falling for these tricks.
  3. Keep an eye on third party installations- It is quite important that you take due care while installing any third party applications for they are major source of such infections. Such malware programs come bundled with the free applications thereby requiring the user to remain cautious.
  4. Regular periodical backup- In order to keep your data and files safe, it is recommended to take regular back up of all your data and files either on an external drive or cloud.
  5. Use Anti-Virus Protection- We strongly recommend the use of antivirus protection/internet security in your PC like Sophos and Hitman Pro so that it remains safe.
  6. Enable the Ad Blocker/Popup Blocker in your browser- Enabling the popup blocker/ ad blocker in your chosen browser will help you to stay protected from annoying adware.

Hits: 150

Leave a Reply

Your email address will not be published. Required fields are marked *

Did you find the article informative? Yes NO

Get Regular Updates Related to All the Threats

Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.

Virus Removal Guidelines
Plot No 319, Nandpuri- B Pratap Nagar
Jaipur
Rajasthan 302033
Phone: +91 9799661866