This malware can turn the affected computer into a video camera, letting the attackers see and hear what’s going on in the victim’s office or wherever their device may be. Uninvited, InvisiMole’s operators access the system, closely monitoring the victim’s activities and stealing the victim’s secrets.
At the time of publication, it is unclear how InvisiMole is distributed, although there are unconfirmed reports indicating it is manually delivered to targeted systems. The small number of available samples of the malware – combined with the secrecy with which it has been created and deployed – make it difficult to accurately determine delivery mechanism.
InvisiMole is comprised of two modules, RC2FM and RC2CL, with both being capable of collecting user data. RC2FM, the smaller of the two modules, can record audio from a device’s microphone, extract proxy browser settings and alter system files. The more advanced module, RC2CL, can execute files and commands, manipulate registry keys, disable security services and record audio or video.
ESET detection names
Host based indicators
5EE6E0410052029EAFA10D1669AE3AA04B508BF9 2FCC87AB226F4A1CC713B13A12421468C82CD586 B6BA65A48FFEB800C29822265190B8EAEA3935B1 C8C4B6BCB4B583BA69663EC3AED8E1E01F310F9F A5A20BC333F22FD89C34A532680173CBCD287FF8
Files and folders
%APPDATA%\Microsoft\Internet Explorer\Cache\AMB6HER8\ %volumeSerialNumber%.dat content.dat cache.dat index.dat %APPDATA%\Microsoft\Internet Explorer\Cache\MX0ROSB1\ content.dat index.dat %random%.%ext% %APPDATA%\Microsoft\Internet Explorer\Cache\index0.dat
Winrar\ comment.txt descript.ion Default.SFX WinRAR.exe main.ico fl_%timestamp%\strcn%num%\ fdata.dat index.dat ~mrc_%random%.tmp ~src_%random%.tmp ~wbc_%random%.tmp sc\~sc%random%.tmp ~zlp\zdf_%random%.data ~lcf\tfl_%random%
Registry keys and values
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Console] or [HKEY_CURRENT_USER\Software\Microsoft\Direct3D] "Settings" "Type" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE] or [HKEY_CURRENT_USER\Software\Microsoft\Direct3D] "Common" "Current" "ENC" "FFLT" "Flag1" "FlagLF" "FlagLF2" "IfData" "INFO" "InstallA" "InstallB" "LegacyImpersonationNumber" "LM" "MachineAccessStateData" "MachineState 0" "RPT" "SP2" "SP3" "SettingsMC" "SettingsSR1" "SettingsSR2"
InvisiMole’s C&C servers domains
activationstate.sytes[.]net advstatecheck.sytes[.]net akamai.sytes[.]net statbfnl.sytes[.]net updchecking.sytes[.]net
InvisiMole’s C&C servers IP addresses
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.