InvisiMole Spyware
This malware can turn the affected computer into a video camera, letting the attackers see and hear what’s going on in the victim’s office or wherever their device may be. Uninvited, InvisiMole’s operators access the system, closely monitoring the victim’s activities and stealing the victim’s secrets.
At the time of publication, it is unclear how InvisiMole is distributed, although there are unconfirmed reports indicating it is manually delivered to targeted systems. The small number of available samples of the malware – combined with the secrecy with which it has been created and deployed – make it difficult to accurately determine delivery mechanism.
InvisiMole is comprised of two modules, RC2FM and RC2CL, with both being capable of collecting user data. RC2FM, the smaller of the two modules, can record audio from a device’s microphone, extract proxy browser settings and alter system files. The more advanced module, RC2CL, can execute files and commands, manipulate registry keys, disable security services and record audio or video.
ESET detection names
- Win32/InvisiMole.A
- Win32/InvisiMole.B
- Win32/InvisiMole.C
- Win32/InvisiMole.D
- Win64/InvisiMole.B
- Win64/InvisiMole.C
- Win64/InvisiMole.D
Host based indicators
SHA-1 hashes
5EE6E0410052029EAFA10D1669AE3AA04B508BF9 2FCC87AB226F4A1CC713B13A12421468C82CD586 B6BA65A48FFEB800C29822265190B8EAEA3935B1 C8C4B6BCB4B583BA69663EC3AED8E1E01F310F9F A5A20BC333F22FD89C34A532680173CBCD287FF8
Files and folders
RC2FM
%APPDATA%\Microsoft\Internet Explorer\Cache\AMB6HER8\
%volumeSerialNumber%.dat
content.dat
cache.dat
index.dat
%APPDATA%\Microsoft\Internet Explorer\Cache\MX0ROSB1\
content.dat
index.dat
%random%.%ext%
%APPDATA%\Microsoft\Internet Explorer\Cache\index0.dat
RC2CL
Winrar\
comment.txt
descript.ion
Default.SFX
WinRAR.exe
main.ico
fl_%timestamp%\strcn%num%\
fdata.dat
index.dat
~mrc_%random%.tmp
~src_%random%.tmp
~wbc_%random%.tmp
sc\~sc%random%.tmp
~zlp\zdf_%random%.data
~lcf\tfl_%random%
Registry keys and values
RC2FM
[HKEY_CURRENT_USER\Software\Microsoft\IE\Cache] "Index"
RC2CL
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Console] or [HKEY_CURRENT_USER\Software\Microsoft\Direct3D] "Settings" "Type" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE] or [HKEY_CURRENT_USER\Software\Microsoft\Direct3D] "Common" "Current" "ENC" "FFLT" "Flag1" "FlagLF" "FlagLF2" "IfData" "INFO" "InstallA" "InstallB" "LegacyImpersonationNumber" "LM" "MachineAccessStateData" "MachineState 0" "RPT" "SP2" "SP3" "SettingsMC" "SettingsSR1" "SettingsSR2"
Network indicators
InvisiMole’s C&C servers domains
activationstate.sytes[.]net advstatecheck.sytes[.]net akamai.sytes[.]net statbfnl.sytes[.]net updchecking.sytes[.]net
InvisiMole’s C&C servers IP addresses
46.165.231.85
213.239.220.41
46.165.241.129
46.165.241.153
78.46.35.74
95.215.111.109
185.118.66.163
185.118.67.233
185.156.173.92
46.165.230.241
194.187.249.157
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.