InvisiMole Spyware

This malware can turn the affected computer into a video camera, letting the attackers see and hear what’s going on in the victim’s office or wherever their device may be. Uninvited, InvisiMole’s operators access the system, closely monitoring the victim’s activities and stealing the victim’s secrets.

At the time of publication, it is unclear how InvisiMole is distributed, although there are unconfirmed reports indicating it is manually delivered to targeted systems. The small number of available samples of the malware – combined with the secrecy with which it has been created and deployed – make it difficult to accurately determine delivery mechanism.

InvisiMole is comprised of two modules, RC2FM and RC2CL, with both being capable of collecting user data. RC2FM, the smaller of the two modules, can record audio from a device’s microphone, extract proxy browser settings and alter system files. The more advanced module, RC2CL, can execute files and commands, manipulate registry keys, disable security services and record audio or video.

ESET detection names

  • Win32/InvisiMole.A
  • Win32/InvisiMole.B
  • Win32/InvisiMole.C
  • Win32/InvisiMole.D
  • Win64/InvisiMole.B
  • Win64/InvisiMole.C
  • Win64/InvisiMole.D

Host based indicators

SHA-1 hashes

5EE6E0410052029EAFA10D1669AE3AA04B508BF9
2FCC87AB226F4A1CC713B13A12421468C82CD586
B6BA65A48FFEB800C29822265190B8EAEA3935B1
C8C4B6BCB4B583BA69663EC3AED8E1E01F310F9F
A5A20BC333F22FD89C34A532680173CBCD287FF8

Files and folders

RC2FM

%APPDATA%\Microsoft\Internet Explorer\Cache\AMB6HER8\
    %volumeSerialNumber%.dat
    content.dat
    cache.dat
    index.dat
%APPDATA%\Microsoft\Internet Explorer\Cache\MX0ROSB1\
    content.dat
    index.dat
    %random%.%ext%
%APPDATA%\Microsoft\Internet Explorer\Cache\index0.dat

RC2CL

Winrar\
    comment.txt
    descript.ion
    Default.SFX
    WinRAR.exe
    main.ico
fl_%timestamp%\strcn%num%\
    fdata.dat
    index.dat
~mrc_%random%.tmp
~src_%random%.tmp
~wbc_%random%.tmp
sc\~sc%random%.tmp
~zlp\zdf_%random%.data
~lcf\tfl_%random%



Registry keys and values

RC2FM

[HKEY_CURRENT_USER\Software\Microsoft\IE\Cache]
"Index"

RC2CL

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Console]
or [HKEY_CURRENT_USER\Software\Microsoft\Direct3D]
"Settings"
"Type"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE]
or [HKEY_CURRENT_USER\Software\Microsoft\Direct3D]
"Common"
"Current"
"ENC"
"FFLT"
"Flag1"
"FlagLF"
"FlagLF2"
"IfData"
"INFO"
"InstallA"
"InstallB"
"LegacyImpersonationNumber"
"LM"
"MachineAccessStateData"
"MachineState 0"
"RPT"
"SP2"
"SP3"
"SettingsMC"
"SettingsSR1"
"SettingsSR2"

Network indicators

InvisiMole’s C&C servers domains

activationstate.sytes[.]net
advstatecheck.sytes[.]net
akamai.sytes[.]net
statbfnl.sytes[.]net
updchecking.sytes[.]net

InvisiMole’s C&C servers IP addresses

46.165.231.85
213.239.220.41
46.165.241.129
46.165.241.153
78.46.35.74
95.215.111.109
185.118.66.163
185.118.67.233
185.156.173.92
46.165.230.241
194.187.249.157




Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: