InvisiMole
InvisiMole is spyware used for attacks against specific targets. InvisiMole may be part of espionage or surveillance operations and allows criminals to carry out sophisticated attacks against their targets. InvisiMole allows an attacker to gain backdoor access to a targeted device. InvisiMole also allows the attacker to record audio and video using the affected device's audio and video capture devices (such as a webcam). The main way in which InvisiMole is distributed is through phishing attacks or by having physical access to the targeted device. Once installed, InvisiMole will run in the background and be quite difficult to detect. InvisiMole will collect data from the affected computer silently, as well as allow the attackers to use the affected computer to spy on its surroundings.
Table of Contents
How an Attacker can Use InvisiMole to Spy on its Victim
InvisiMole can keep the affected computer's video camera and microphone on without the victim's knowledge, allowing its admins to record audio and video from the affected computer secretly. InvisiMole is capable of streaming videos from the affected computer over an encrypted connection, essentially allowing the attacker to view, in real time, what is being recorded on the affected computer. Furthermore, InvisiMole can be used to collect data from the affected computer, much like most backdoor Trojans. InvisiMole is capable of monitoring software and network communications on the affected computer and allows the execution of bad code on the affected computer remotely. InvisiMole can allow an attacker to gain remote access to the victim's computer.
Additional Characteristics of the InvisiMole Malware
There are several features of InvisiMole that have caught the attention of PC security researchers. InvisiMole can be used to connect to Command and Control servers taking advantage of various proxy and browser configurations. Generally, InvisiMole will use WinRAR and Lame in its attack (both legitimate software). WinRAR will be used to compress any data collected by InvisiMole before it is sent to the InvisiMole's Command and Control servers. Lame is used to converting any audio recorded on the affected computer into an MP3 file that is sent to the Command and Control servers for additional processing and monitoring. InvisiMole also is capable of taking screenshots of the infected computer and interfere with the Windows Explorer, allowing the attackers to rename and delete files, create new directories, and carry out any operation on the infected computer.
Some of the IP addresses that have been linked to InvisiMole attacks include:
185.118.66.163
185.118.67.233
185.156.173.92
194.187.249.157
213.239.220.41
46.165.230.241
46.165.231.85
46.165.241.129
46.165.241.153
78.46.35.74
95.215.111.109
The following domains have been associated with InvisiMole Command and Control servers:
activationstate.sytes[.]net
advstatecheck.sytes[.]net
akamai.sytes[.]net
statbfnl.sytes[.]net
updchecking.sytes[.]net
InvisiMole uses a modular structure that makes its attack highly effective and difficult to defend.
Who is Responsible for InvisiMole?
The versatile nature of InvisiMole and its sophisticated nature suggest that InvisiMole may be part of high-level espionage or state-sponsored attack rather than the work of a smaller criminal group. Investigations into InvisiMole suggest that this threat has been active at least for the last five years. However, InvisiMole had not been discovered until recently. One aspect of InvisiMole that has caught attention is that InvisiMole is highly targeted and has only been detected on a few dozen computers. This indicates that InvisiMole is not being used in widespread attacks but, rather against specific targets with valuable information. This is different from similar malware that may be disseminated widely and seemingly at random, with the hope of catching a high-profile target eventually.
