The resurgence of the Invisimole Malware

July 5, 2020
invisimole malware cyberattack

It started in 2013 and then publicly exposed in 2018, and the Invisimole malware attack resurfaced again with a more sophisticated and stealthier comeback. The knowledge came from the collaborative effort of the compromised firm and cybersecurity experts of the ESET company. ESET confirmed through the evidence gathered from high military and diplomatic personnel organizations from the Eastern Europe region that has been the main target of this modern cyber espionage.


How the attack was used for spying

Based on the fact their team gathered that the Invisimole malware was used earlier in the cyber-espionage targeting Ukraine and the Russian government. With its exposure in 2018, the cyberworld became aware of this attack and able to mitigate immediately plans to retribute such rupture. However, on the recent discovery, the Invisimole became more aggressive and lethal as its creator able to also collaborate with Gamaredon hacking group – known for its long history and reputation for doing cyber-espionage activity in the cyberworld.


Enhanced Invisimole

The enhanced Invisimole came with richer feature spyware malware called the RC2CL and RC2FM. The enhanced Invisimole are advanced worm codes that were mainly targeting the vulnerabilities in the Windows system, specifically the reported  BlueKeep (CVE-2019-0708) and EternalBlue (CVE-2017-0144) in RDP and SMB protocols. The researchers in the report did not adequately detail the entry of these worms. Still, speculations said to be from tampered emails or untrusted sites that targeted individuals may have visited.


A combination of different spyware features

The RC2CL work was mainly targeting the RDP protocols that compromised the system to be able to perform command and control to the infected system. It can turn on webcam and microphones of the system to be able to capture photos and video recordings, including sounds for active reconnaissance. It can also skim through installed software and recent activity of the fallen victim. While the RC2FM that is mainly used by the exploit for SMB protocols (Windows protocols for data sharing and system communication), which is responsible for gathering sensitive data that can bypass User Access Control (UAC) for multiple account data storage and record keystrokes logging. Both spyware feature is being commended for its resilient element to hide within legit processes. It is a feature to resist anti-malware spyware program scanning. This, in addition to its DNS tunneling characteristics, to communicate under the radar from the compromised system to the hacker’s controlled server for Command and Control process and stolen data gathering.

This exposure is excellent news and an added awareness to ESET. The event is a reminder for them to be more vigilant and proactive in battling cyber-espionage. Malicious actors are not alone, but merely collaborating with other hackers to devise a more lethal and effective worm to brute force their entry to their target.

About the author

Leave a Reply