Skip to content

S0260 InvisiMole

InvisiMole is a modular spyware program that has been used by the InvisiMole Group since at least 2013. InvisiMole has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. Gamaredon Group infrastructure has been used to download and execute InvisiMole against a small number of victims.12

Item Value
ID S0260
Associated Names
Type MALWARE
Version 2.1
Created 17 October 2018
Last Modified 29 November 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control InvisiMole can use fileless UAC bypass and create an elevated COM object to escalate privileges.12
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account InvisiMole has a command to list account information on the victim’s machine.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols InvisiMole uses HTTP for C2 communications.1
enterprise T1071.004 DNS InvisiMole has used a custom implementation of DNS tunneling to embed C2 communications in DNS requests and replies.2
enterprise T1010 Application Window Discovery InvisiMole can enumerate windows and child windows on a compromised host.12
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility InvisiMole uses WinRAR to compress data that is intended to be exfiltrated.1
enterprise T1560.002 Archive via Library InvisiMole can use zlib to compress and decompress data.12
enterprise T1560.003 Archive via Custom Method InvisiMole uses a variation of the XOR cipher to encrypt files before exfiltration.1
enterprise T1123 Audio Capture InvisiMole can record sound using input audio devices.12
enterprise T1119 Automated Collection InvisiMole can sort and collect specific documents as well as generate a list of all files on a newly inserted drive and store them in an encrypted file.12
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder InvisiMole can place a lnk file in the Startup Folder to achieve persistence.2
enterprise T1547.009 Shortcut Modification InvisiMole can use a .lnk shortcut for the Control Panel to establish persistence.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell InvisiMole can launch a remote shell to execute commands.12
enterprise T1059.007 JavaScript InvisiMole can use a JavaScript file as part of its execution chain.2
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service InvisiMole can register a Windows service named CsPower as part of its execution chain, and a Windows service named clr_optimization_v2.0.51527_X86 to achieve persistence.2
enterprise T1132 Data Encoding -
enterprise T1132.002 Non-Standard Encoding InvisiMole can use a modified base32 encoding to encode data within the subdomain of C2 requests.2
enterprise T1005 Data from Local System InvisiMole can collect data from the system, and can monitor changes in specified directories.1
enterprise T1025 Data from Removable Media InvisiMole can collect jpeg files from connected MTP devices.2
enterprise T1001 Data Obfuscation -
enterprise T1001.003 Protocol Impersonation InvisiMole can mimic HTTP protocol with custom HTTP “verbs” HIDE, ZVVP, and NOP.12
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging InvisiMole determines a working directory where it stores all the gathered data about the compromised machine.12
enterprise T1140 Deobfuscate/Decode Files or Information InvisiMole can decrypt, unpack and load a DLL from its resources, or from blobs encrypted with Data Protection API, two-key triple DES, and variations of the XOR cipher.12
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography InvisiMole uses variations of a simple XOR encryption routine for C&C communications.1
enterprise T1480 Execution Guardrails -
enterprise T1480.001 Environmental Keying InvisiMole can use Data Protection API to encrypt its components on the victim’s computer, to evade detection, and to make sure the payload can only be decrypted and loaded on one specific compromised computer.2
enterprise T1203 Exploitation for Client Execution InvisiMole has installed legitimate but vulnerable Total Video Player software and wdigest.dll library drivers on compromised hosts to exploit stack overflow and input validation vulnerabilities for code execution.2
enterprise T1068 Exploitation for Privilege Escalation InvisiMole has exploited CVE-2007-5633 vulnerability in the speedfan.sys driver to obtain kernel mode privileges.2
enterprise T1210 Exploitation of Remote Services InvisiMole can spread within a network via the BlueKeep (CVE-2019-0708) and EternalBlue (CVE-2017-0144) vulnerabilities in RDP and SMB respectively.2
enterprise T1008 Fallback Channels InvisiMole has been configured with several servers available for alternate C2 communications.12
enterprise T1083 File and Directory Discovery InvisiMole can list information about files in a directory and recently opened or used documents. InvisiMole can also search for specific files by supplied file mask.1
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories InvisiMole can create hidden system directories.2
enterprise T1564.003 Hidden Window InvisiMole has executed legitimate tools in hidden windows.2
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Search Order Hijacking InvisiMole can be launched by using DLL search order hijacking in which the wrapper DLL is placed in the same folder as explorer.exe and loaded during startup into the Windows Explorer process instead of the legitimate library.1
enterprise T1562 Impair Defenses -
enterprise T1562.004 Disable or Modify System Firewall InvisiMole has a command to disable routing and the Firewall on the victim’s machine.1
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion InvisiMole has deleted files and directories including XML and files successfully uploaded to C2 servers.12
enterprise T1070.005 Network Share Connection Removal
InvisiMole can disconnect previously connected remote drives.1
enterprise T1070.006 Timestomp InvisiMole samples were timestomped by the authors by setting the PE timestamps to all zero values. InvisiMole also has a built-in command to modify file times.1
enterprise T1105 Ingress Tool Transfer InvisiMole can upload files to the victim’s machine for operations.12
enterprise T1490 Inhibit System Recovery InvisiMole can can remove all system restore points.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging InvisiMole can capture keystrokes on a compromised host.2
enterprise T1559 Inter-Process Communication -
enterprise T1559.001 Component Object Model InvisiMole can use the ITaskService, ITaskDefinition and ITaskSettings COM interfaces to schedule a task.2
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service InvisiMole has attempted to disguise itself by registering under a seemingly legitimate service name.2
enterprise T1036.005 Match Legitimate Name or Location InvisiMole has disguised its droppers as legitimate software or documents, matching their original names and locations, and saved its files as mpr.dll in the Windows folder.12
enterprise T1112 Modify Registry InvisiMole has a command to create, set, copy, or delete a specified Registry key or value.12
enterprise T1106 Native API InvisiMole can use winapiexec tool for indirect execution of ShellExecuteW and CreateProcessA.2
enterprise T1046 Network Service Discovery InvisiMole can scan the network for open ports and vulnerable instances of RDP and SMB protocols.2
enterprise T1135 Network Share Discovery InvisiMole can gather network share information.1
enterprise T1095 Non-Application Layer Protocol InvisiMole has used TCP to download additional modules.2
enterprise T1027 Obfuscated Files or Information InvisiMole avoids analysis by encrypting all strings, internal files, configuration data and by using a custom executable format.12
enterprise T1027.005 Indicator Removal from Tools InvisiMole has undergone regular technical improvements in an attempt to evade detection.2
enterprise T1057 Process Discovery InvisiMole can obtain a list of running processes.12
enterprise T1055 Process Injection InvisiMole can inject itself into another process to avoid detection including use of a technique called ListPlanting that customizes the sorting algorithm in a ListView structure.2
enterprise T1055.002 Portable Executable Injection InvisiMole can inject its backdoor as a portable executable into a target process.2
enterprise T1055.004 Asynchronous Procedure Call InvisiMole can inject its code into a trusted process via the APC queue.2
enterprise T1055.015 ListPlanting InvisiMole has used ListPlanting to inject code into a trusted process.2
enterprise T1090 Proxy -
enterprise T1090.001 Internal Proxy InvisiMole can function as a proxy to create a server that relays communication between the client and C&C server, or between two clients.1
enterprise T1090.002 External Proxy InvisiMole InvisiMole can identify proxy servers used by the victim and use them for C2 communication.12
enterprise T1012 Query Registry InvisiMole can enumerate Registry values, keys, and data.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task InvisiMole has used scheduled tasks named MSST and \Microsoft\Windows\Autochk\Scheduled to establish persistence.2
enterprise T1113 Screen Capture InvisiMole can capture screenshots of not only the entire screen, but of each separate window open, in case they are overlapping.12
enterprise T1518 Software Discovery InvisiMole can collect information about installed software used by specific users, software executed on user login, and software executed by each system.12
enterprise T1518.001 Security Software Discovery InvisiMole can check for the presence of network sniffers, AV, and BitDefender firewall.2
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.002 Control Panel InvisiMole can register itself for execution and persistence via the Control Panel.2
enterprise T1218.011 Rundll32 InvisiMole has used rundll32.exe for execution.2
enterprise T1082 System Information Discovery InvisiMole can gather information on the mapped drives, OS version, computer name, DEP policy, memory size, and system volume serial number.12
enterprise T1016 System Network Configuration Discovery InvisiMole gathers information on the IP forwarding table, MAC address, configured proxy, and network SSID.12
enterprise T1033 System Owner/User Discovery InvisiMole lists local users and session information.1
enterprise T1007 System Service Discovery InvisiMole can obtain running services on the victim.1
enterprise T1569 System Services -
enterprise T1569.002 Service Execution InvisiMole has used Windows services as a way to execute its malicious payload.2
enterprise T1124 System Time Discovery InvisiMole gathers the local system time from the victim’s machine.12
enterprise T1080 Taint Shared Content InvisiMole can replace legitimate software or documents in the compromised network with their trojanized versions, in an attempt to propagate itself within the network.2
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File InvisiMole can deliver trojanized versions of software and documents, relying on user execution.2
enterprise T1125 Video Capture InvisiMole can remotely activate the victim’s webcam to capture content.12
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks InvisiMole can check for artifacts of VirtualBox, Virtual PC and VMware environment, and terminate itself if they are detected.2

References

Back to top