S0260 InvisiMole
InvisiMole is a modular spyware program that has been used by the InvisiMole Group since at least 2013. InvisiMole has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. Gamaredon Group infrastructure has been used to download and execute InvisiMole against a small number of victims.12
| Item | Value |
|---|---|
| ID | S0260 |
| Associated Names | |
| Type | MALWARE |
| Version | 2.1 |
| Created | 17 October 2018 |
| Last Modified | 29 November 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | InvisiMole can use fileless UAC bypass and create an elevated COM object to escalate privileges.12 |
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.001 | Local Account | InvisiMole has a command to list account information on the victim’s machine.1 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | InvisiMole uses HTTP for C2 communications.1 |
| enterprise | T1071.004 | DNS | InvisiMole has used a custom implementation of DNS tunneling to embed C2 communications in DNS requests and replies.2 |
| enterprise | T1010 | Application Window Discovery | InvisiMole can enumerate windows and child windows on a compromised host.12 |
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.001 | Archive via Utility | InvisiMole uses WinRAR to compress data that is intended to be exfiltrated.1 |
| enterprise | T1560.002 | Archive via Library | InvisiMole can use zlib to compress and decompress data.12 |
| enterprise | T1560.003 | Archive via Custom Method | InvisiMole uses a variation of the XOR cipher to encrypt files before exfiltration.1 |
| enterprise | T1123 | Audio Capture | InvisiMole can record sound using input audio devices.12 |
| enterprise | T1119 | Automated Collection | InvisiMole can sort and collect specific documents as well as generate a list of all files on a newly inserted drive and store them in an encrypted file.12 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | InvisiMole can place a lnk file in the Startup Folder to achieve persistence.2 |
| enterprise | T1547.009 | Shortcut Modification | InvisiMole can use a .lnk shortcut for the Control Panel to establish persistence.2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | InvisiMole can launch a remote shell to execute commands.12 |
| enterprise | T1059.007 | JavaScript | InvisiMole can use a JavaScript file as part of its execution chain.2 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | InvisiMole can register a Windows service named CsPower as part of its execution chain, and a Windows service named clr_optimization_v2.0.51527_X86 to achieve persistence.2 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.002 | Non-Standard Encoding | InvisiMole can use a modified base32 encoding to encode data within the subdomain of C2 requests.2 |
| enterprise | T1005 | Data from Local System | InvisiMole can collect data from the system, and can monitor changes in specified directories.1 |
| enterprise | T1025 | Data from Removable Media | InvisiMole can collect jpeg files from connected MTP devices.2 |
| enterprise | T1001 | Data Obfuscation | - |
| enterprise | T1001.003 | Protocol Impersonation | InvisiMole can mimic HTTP protocol with custom HTTP “verbs” HIDE, ZVVP, and NOP.12 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | InvisiMole determines a working directory where it stores all the gathered data about the compromised machine.12 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | InvisiMole can decrypt, unpack and load a DLL from its resources, or from blobs encrypted with Data Protection API, two-key triple DES, and variations of the XOR cipher.12 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | InvisiMole uses variations of a simple XOR encryption routine for C&C communications.1 |
| enterprise | T1480 | Execution Guardrails | - |
| enterprise | T1480.001 | Environmental Keying | InvisiMole can use Data Protection API to encrypt its components on the victim’s computer, to evade detection, and to make sure the payload can only be decrypted and loaded on one specific compromised computer.2 |
| enterprise | T1203 | Exploitation for Client Execution | InvisiMole has installed legitimate but vulnerable Total Video Player software and wdigest.dll library drivers on compromised hosts to exploit stack overflow and input validation vulnerabilities for code execution.2 |
| enterprise | T1068 | Exploitation for Privilege Escalation | InvisiMole has exploited CVE-2007-5633 vulnerability in the speedfan.sys driver to obtain kernel mode privileges.2 |
| enterprise | T1210 | Exploitation of Remote Services | InvisiMole can spread within a network via the BlueKeep (CVE-2019-0708) and EternalBlue (CVE-2017-0144) vulnerabilities in RDP and SMB respectively.2 |
| enterprise | T1008 | Fallback Channels | InvisiMole has been configured with several servers available for alternate C2 communications.12 |
| enterprise | T1083 | File and Directory Discovery | InvisiMole can list information about files in a directory and recently opened or used documents. InvisiMole can also search for specific files by supplied file mask.1 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.001 | Hidden Files and Directories | InvisiMole can create hidden system directories.2 |
| enterprise | T1564.003 | Hidden Window | InvisiMole has executed legitimate tools in hidden windows.2 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.001 | DLL Search Order Hijacking | InvisiMole can be launched by using DLL search order hijacking in which the wrapper DLL is placed in the same folder as explorer.exe and loaded during startup into the Windows Explorer process instead of the legitimate library.1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.004 | Disable or Modify System Firewall | InvisiMole has a command to disable routing and the Firewall on the victim’s machine.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | InvisiMole has deleted files and directories including XML and files successfully uploaded to C2 servers.12 |
| enterprise | T1070.005 | Network Share Connection Removal | |
| InvisiMole can disconnect previously connected remote drives.1 | |||
| enterprise | T1070.006 | Timestomp | InvisiMole samples were timestomped by the authors by setting the PE timestamps to all zero values. InvisiMole also has a built-in command to modify file times.1 |
| enterprise | T1105 | Ingress Tool Transfer | InvisiMole can upload files to the victim’s machine for operations.12 |
| enterprise | T1490 | Inhibit System Recovery | InvisiMole can can remove all system restore points.1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | InvisiMole can capture keystrokes on a compromised host.2 |
| enterprise | T1559 | Inter-Process Communication | - |
| enterprise | T1559.001 | Component Object Model | InvisiMole can use the ITaskService, ITaskDefinition and ITaskSettings COM interfaces to schedule a task.2 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | InvisiMole has attempted to disguise itself by registering under a seemingly legitimate service name.2 |
| enterprise | T1036.005 | Match Legitimate Name or Location | InvisiMole has disguised its droppers as legitimate software or documents, matching their original names and locations, and saved its files as mpr.dll in the Windows folder.12 |
| enterprise | T1112 | Modify Registry | InvisiMole has a command to create, set, copy, or delete a specified Registry key or value.12 |
| enterprise | T1106 | Native API | InvisiMole can use winapiexec tool for indirect execution of ShellExecuteW and CreateProcessA.2 |
| enterprise | T1046 | Network Service Discovery | InvisiMole can scan the network for open ports and vulnerable instances of RDP and SMB protocols.2 |
| enterprise | T1135 | Network Share Discovery | InvisiMole can gather network share information.1 |
| enterprise | T1095 | Non-Application Layer Protocol | InvisiMole has used TCP to download additional modules.2 |
| enterprise | T1027 | Obfuscated Files or Information | InvisiMole avoids analysis by encrypting all strings, internal files, configuration data and by using a custom executable format.12 |
| enterprise | T1027.005 | Indicator Removal from Tools | InvisiMole has undergone regular technical improvements in an attempt to evade detection.2 |
| enterprise | T1057 | Process Discovery | InvisiMole can obtain a list of running processes.12 |
| enterprise | T1055 | Process Injection | InvisiMole can inject itself into another process to avoid detection including use of a technique called ListPlanting that customizes the sorting algorithm in a ListView structure.2 |
| enterprise | T1055.002 | Portable Executable Injection | InvisiMole can inject its backdoor as a portable executable into a target process.2 |
| enterprise | T1055.004 | Asynchronous Procedure Call | InvisiMole can inject its code into a trusted process via the APC queue.2 |
| enterprise | T1055.015 | ListPlanting | InvisiMole has used ListPlanting to inject code into a trusted process.2 |
| enterprise | T1090 | Proxy | - |
| enterprise | T1090.001 | Internal Proxy | InvisiMole can function as a proxy to create a server that relays communication between the client and C&C server, or between two clients.1 |
| enterprise | T1090.002 | External Proxy | InvisiMole InvisiMole can identify proxy servers used by the victim and use them for C2 communication.12 |
| enterprise | T1012 | Query Registry | InvisiMole can enumerate Registry values, keys, and data.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | InvisiMole has used scheduled tasks named MSST and \Microsoft\Windows\Autochk\Scheduled to establish persistence.2 |
| enterprise | T1113 | Screen Capture | InvisiMole can capture screenshots of not only the entire screen, but of each separate window open, in case they are overlapping.12 |
| enterprise | T1518 | Software Discovery | InvisiMole can collect information about installed software used by specific users, software executed on user login, and software executed by each system.12 |
| enterprise | T1518.001 | Security Software Discovery | InvisiMole can check for the presence of network sniffers, AV, and BitDefender firewall.2 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.002 | Control Panel | InvisiMole can register itself for execution and persistence via the Control Panel.2 |
| enterprise | T1218.011 | Rundll32 | InvisiMole has used rundll32.exe for execution.2 |
| enterprise | T1082 | System Information Discovery | InvisiMole can gather information on the mapped drives, OS version, computer name, DEP policy, memory size, and system volume serial number.12 |
| enterprise | T1016 | System Network Configuration Discovery | InvisiMole gathers information on the IP forwarding table, MAC address, configured proxy, and network SSID.12 |
| enterprise | T1033 | System Owner/User Discovery | InvisiMole lists local users and session information.1 |
| enterprise | T1007 | System Service Discovery | InvisiMole can obtain running services on the victim.1 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.002 | Service Execution | InvisiMole has used Windows services as a way to execute its malicious payload.2 |
| enterprise | T1124 | System Time Discovery | InvisiMole gathers the local system time from the victim’s machine.12 |
| enterprise | T1080 | Taint Shared Content | InvisiMole can replace legitimate software or documents in the compromised network with their trojanized versions, in an attempt to propagate itself within the network.2 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | InvisiMole can deliver trojanized versions of software and documents, relying on user execution.2 |
| enterprise | T1125 | Video Capture | InvisiMole can remotely activate the victim’s webcam to capture content.12 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | InvisiMole can check for artifacts of VirtualBox, Virtual PC and VMware environment, and terminate itself if they are detected.2 |
References
-
Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩