This is the modus operandi of the two malicious components of InvisiMole. They turn the affected computer into a video camera, letting the attackers see and hear what’s going on in the victim’s office or wherever their device may be. Uninvited, InvisiMole’s operators access the system, closely monitoring the victim’s activities and stealing the victim’s secrets.

Our telemetry indicates that the malicious actors behind this malware have been active at least since 2013, yet the cyber-espionage tool was never analyzed nor detected until discovered by ESET products on compromised computers in Ukraine and Russia.

The campaign is highly targeted – no wonder the malware has a low infection ratio, with only a few dozen computers being affected.

InvisiMole has a modular architecture, starting its journey with a wrapper DLL, and performing its activities using two other modules that are embedded in its resources. Both of the modules are feature-rich backdoors, which together give it the ability to gather as much information about the target as possible.

Extra measures are taken to avoid attracting the attention of the compromised user, enabling the malware to reside on the system for a longer period of time. How the spyware was spread to the infected machines is yet to be determined by further investigation. All infection vectors are possible, including installation facilitated by physical access to the machine...


InvisiMole is fully-equipped spyware whose rich capabilities can surely compete with other espionage tools seen in the wild.

We can only wonder why the authors decided to use two modules with overlapping capabilities. One might think the smaller module, RC2FM, is used as an initial reconnaissance tool, while the bigger RC2CL module is only run on interesting targets. This is, however, not the case – both of the modules are launched simultaneously. Another possible explanation is that the modules might have been crafted by various authors and then bundled together to provide the malware operators a more complex range of functionalities.

The malware uses only a few techniques to avoid detection and analysis, yet, deployed against a very small number of high-value targets, it was able to stay under the radar for at least five years....

Read more: InvisiMole spyware hunting for secrets while staying deep in the shadows

See also: malware-ioc/invisimole at master - eset/malware-ioc - GitHub