Security researchers from ESET have discovered a complex piece of spyware that was used sparingly in the last five years to infect and spy on a very small number of targets in Russia and Ukraine.
While the origin of this new malware strain —named InvisiMole— have not been determined yet, it is believed that this is an advanced cyber-espionage tool, most likely created for nation-state or financially-motivated hacks.
This assessment is based on the fact that the malware has been seen very rarely, being found on "only a few dozen computers," but also because of its broad spectrum of capabilities, something that would have taken months if not years to develop, and certainly not the work of your ordinary slash-and-grab cyber-criminal.
Except for the malware's binary file, very little is known of who's behind it, how it spreads, or in what types of campaigns has this been used.
"Our telemetry indicates that the malicious actors behind this malware have been active at least since 2013, yet the cyber-espionage tool was never analyzed nor detected until discovered by ESET products on compromised computers in Ukraine and Russia," said ESET researcher Zuzana Hromcová, who recently penned an in-depth report about this new threat.
"All infection vectors are possible, including installation facilitated by physical access to the machine," Hromcová added.
Typical to malware used in highly-targeted attacks, the malware has been stripped of most clues that could lead researchers back to its author. With the exception of one file (dating to October 13, 2013), all compilation dates have been stripped and replaced with zeros, giving little clues regarding its timeline and lifespan.
Furthermore, the malware is some clever piece of coding in itself, as it's comprised of two modules, both with their own set of spying features, but which can also help each other in exfiltrating data.
The first of InvisiMole's main modules is called RC2FM. It's the smallest of the two and only supports 15 commands, combining functions to alter the local system, but also search and steal data.
This module is not as advanced as the second, but the most novel feature it possesses is the ability to extract proxy settings from browsers and use those configurations to send data to its command and control server in case the local network settings prevent the module from talking to its master server.
Some of this module's commands allow it to turn on the user's microphone, record audio, encode it as MP3 and send it to the InvisiMole C&C server.
RC2FM can also turn on the user's webcam and take screenshots. It can also monitor local drives, retrieve system info, and make system config alterations.
The second InvisiMole module is the most advanced of the two. This one supports 84 backdoor commands and includes almost all the capabilities you expect from an advanced spyware strain.
This includes support for running remote shell commands, registry key manipulation, file execution, getting a list of local apps, loading drivers, getting network information, disabling UAC, turning off the Windows firewall, and more. RC2CL can also record audio via the microphone and take screenshots via the webcam —like the first module.
But Hromcová says the module also possesses some unique features. One of these is the ability to safe-delete its own files after the data collection has taken place. This step is taken to prevent forensics tools from detecting shadow files on disk, and finding out what the malware might have gathered and sent to its C&C server.
Another unique feature is RC2CL's ability to turn itself into a proxy and facilitate the communications between the first module and the attacker's C&C server. This is somewhat unique, as this behavior has not been seen in other strains.
All in all, this is a devilish tool, one that's clearly a very powerful cyber-espionage tool, and probably one of the best around.