InvisiMole
InvisiMole is a modular spyware program that has been used by threat actors since at least 2013. InvisiMole has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. [1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Access Control |
InvisiMole can bypass UAC and create an elevated COM object to escalate privileges.[1] |
| Enterprise | T1087 | .001 | Account Discovery: Local Account |
InvisiMole has a command to list account information on the victim’s machine.[1] |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
InvisiMole uses HTTP for C2 communications.[1] |
| Enterprise | T1560 | .003 | Archive Collected Data: Archive via Custom Method |
InvisiMole uses a variation of the XOR cipher to encrypt files before exfiltration.[1] |
| .001 | Archive Collected Data: Archive via Utility |
InvisiMole uses WinRAR to compress data that is intended to be exfiltrated.[1] |
||
| Enterprise | T1123 | Audio Capture |
InvisiMole can record sound using input audio devices.[1] |
|
| Enterprise | T1119 | Automated Collection |
Each time a new drive is inserted, InvisiMole generates a list of all files on the drive and stores it in an encrypted file.[1] |
|
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
InvisiMole can launch a remote shell to execute commands.[1] |
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
InvisiMole determines a working directory where it stores all the gathered data about the compromised machine.[1] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
InvisiMole can decrypt, unpack and load a DLL from its resources.[1] |
|
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
InvisiMole uses variations of a simple XOR encryption routine for C&C communications.[1] |
| Enterprise | T1083 | File and Directory Discovery |
InvisiMole can lists information about files in a directory.[1] |
|
| Enterprise | T1574 | .001 | Hijack Execution Flow: DLL Search Order Hijacking |
InvisiMole can be launched by using DLL search order hijacking in which the wrapper DLL is placed in the same folder as explorer.exe and loaded during startup into the Windows Explorer process instead of the legitimate library.[1] |
| Enterprise | T1562 | .004 | Impair Defenses: Disable or Modify System Firewall |
InvisiMole has a command to disable routing and the Firewall on the victim’s machine.[1] |
| Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
InvisiMole has a command to delete a file and deletes files after they have been successfully uploaded to C2 servers.[1] |
| .006 | Indicator Removal on Host: Timestomp |
InvisiMole samples were timestomped by the authors by setting the PE timestamps to all zero values. InvisiMole also has a built-in command to modify file times.[1] |
||
| Enterprise | T1105 | Ingress Tool Transfer |
InvisiMole can upload files to the victim's machine for operations.[1] |
|
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
InvisiMole saves one of its files as mpr.dll in the Windows folder, masquerading as a legitimate library file.[1] |
| Enterprise | T1112 | Modify Registry |
InvisiMole has a command to create, set, copy, or delete a specified Registry key or value.[1] |
|
| Enterprise | T1135 | Network Share Discovery |
InvisiMole can gather network share information.[1] |
|
| Enterprise | T1027 | Obfuscated Files or Information |
InvisiMole avoids analysis by encrypting all strings, internal files, configuration data.[1] |
|
| Enterprise | T1057 | Process Discovery |
InvisiMole obtains a list of running processes.[1] |
|
| Enterprise | T1090 | .001 | Proxy: Internal Proxy |
InvisiMole can function as a proxy to create a server that relays communication between the client and C&C server, or between two clients.[1] |
| Enterprise | T1012 | Query Registry |
InvisiMole can enumerate Registry values, keys, and data.[1] |
|
| Enterprise | T1113 | Screen Capture |
InvisiMole can capture screenshots of not only the entire screen, but of each separate window open, in case they are overlapping.[1] |
|
| Enterprise | T1082 | System Information Discovery |
InvisiMole can gather information on the mapped drives, OS version, computer name, and memory size.[1] |
|
| Enterprise | T1016 | System Network Configuration Discovery |
InvisiMole gathers informatin on the IP forwarding table, MAC address, and network SSID.[1] |
|
| Enterprise | T1033 | System Owner/User Discovery |
InvisiMole lists local users and session information.[1] |
|
| Enterprise | T1007 | System Service Discovery |
InvisiMole can obtain running services on the victim.[1] |
|
| Enterprise | T1124 | System Time Discovery |
InvisiMole gathers the local system time from the victim’s machine.[1] |
|
| Enterprise | T1125 | Video Capture |
InvisiMole can remotely activate the victim’s webcam to capture content.[1] |
|