InvisiMole

InvisiMole is spyware and a backdoor Trojan that runs passively on the infected PC and may grant criminals control over your computer through remotely-issued commands. The InvisiMole threat also is equipped with information-stealing capabilities that include both the PC environment and the user's physical workspace (via related devices such as webcams). Since the Trojan's presence is invisible effectively, malware experts strongly advise protecting yourself and your computer with anti-malware products that can delete InvisiMole without needing your direct intervention.

The Mole that's Been Underground for Quite Some Time

Shockingly, an ongoing spyware campaign that may be five or more years old is only, now, becoming available for analysis by the cyber-security industry. The InvisiMole campaign became identifiable to malware researchers and other industry experts after a series of attacks against Ukrainian and Russian targets. Although InvisiMole does include some features for protecting its identity and covering its evidence of infection, its stealth is, evidently, thanks to the highly limited series of targets primarily.

InvisiMole's threat actors are circulating it against small quantities of hand-picked targets, with infection confirmation available for fewer than twenty PCs. However, the combination of a backdoor Trojan and spyware delivers capabilities for granting criminals limitless control over the computer or collecting high-sensitivity information, all while showing no symptoms. Unusually, malware researchers also note that InvisiMole includes two, semi-redundant modules, which could be intended as 'backups' in any cases of partially impaired functionality.

InvisiMole's two modules are RC2FM and RC2CL, both of which include various backdoor and information-collecting features. However, the former provides more control functionality, while the latter offers extra spyware commands. Some of the attack capabilities that malware analysts denote with either of them include:

• InvisiMole may activate the microphone or webcam automatically for recording audio and video.
• InvisiMole may take screenshots of the monitor's display, as well as monitor the individual windows (for noting information that could be covered by overlapping ones).
• InvisiMole harvests different forms of system information automatically, including what files are on all available hard drives.
• Like other backdoor Trojans, InvisiMole also gives criminals acting their C&C servers features for modifying, uploading, deleting or opening arbitrary files. The most notable use of this capability is with InvisiMole's changing the details of any data that it accesses, such as falsifying the 'date modified' information for hiding its presence.

Bringing a Well-Hidden Mole's Network Down

Since the threat actors have an extremely invasive level of access to any PC with InvisiMole, 'lucky' users may notice symptoms like non-consensual system reboots, changes to the Windows Firewall or unusual UAC-bypassing behavior. However, InvisiMole's design implies that it's intended as a background-running threat that remains hidden for as long as possible. The various features associated with fraudulent and untraceable data changes, such as secure-deleting files, also keep any symptoms of the criminal misuse of the PC at a minimum.

Malware researchers confirm multiple versions of InvisiMole, suggesting its active and ongoing development. Windows PCs running both 32-bit and 64-bit architecture are vulnerable. Since its infection vectors are unknown, PC users should abide by overall strong security practices and let their anti-malware solutions detect and remove InvisiMole as it's necessary.

InvisiMole has gone unnoticed by the cyber-security industry as a whole for at least half a decade. However, this detail is thanks to criminals choosing their targets wisely, and not due to the spyware being immune particularly to all the anti-malware strategies that everyone already should be putting to good use.