What Is It?
The malware, named Invisimole by Eset, was first discovered by them in May 2018 on computers in Russia and Ukraine. One reason why this malware may have gone so long without discovery is that it appears to have been deployed by the attackers in a highly-targeted and extremely limited manner, to the extent that only a few dozen systems were infected.
In a previous Threat Report, we discussed the concept of dwell time, the period of time between a network being compromised and when that breach was detected. The example in that case was RadRAT, which had been in the wild since 2015 before recently being discovered and analyzed. A recent report from researchers at Eset describes a sophisticated piece of spyware which is believed to have been in the wild even longer prior to analysis, in this case since late 2013.
Similar to RadRAT, there have been several submissions of the malware to VirusTotal prior to Eset performing its analysis. Two submissions showed up on the same day in May 2014 and they may have been been submitted by the attackers to determine how many anti-virus products would detect their malware, which at that time it was a 9 out of a possible 53. The next submission wasn’t until late November 2017, by which time, 40 out of 66 products detected the sample. This was the final submission prior to Eset publishing its results.
Due to the sophistication of the malware and limited infections to draw samples from, it is surmised that the attacker has significant resources, patience and a specific goal — characteristics that suggest involvement by a nation-state or advanced persistent threat (APT) level attacker.
Invisimole consists of two modules that provide different functionality. The first module is capable of recording audio from the infected system’s microphone and send it as MP3 audio files to the command and control (C2) server. It is also capable of taking screenshots and collects information of all files on all drives on or attached to the infected system.
Invisimole will attempt to contact its C2 server directly. However, unlike many malware samples, if that contact fails, it will check for the configurations of common browsers to see if a proxy is defined, as is often required in corporate environments to obtain internet access. The module can also make changes to Windows Registry settings, list system information, files and the dates a file has been viewed or modified.
The second module supports 84 commands, one of which is switching from “spyware mode” to “proxy mode” to connect to the attacker’s C2 server to receive instructions of where to pass to send that traffic. This module can also extract of a wide variety of system data (including the speed of the current internet connection) and details of wireless networks detected by the infected system (which can be used to provide a physical location of the infected system and more accurate than using its IP address).
The module also looks at installed programs, particularly those regularly or recently used and can be configured to report any changes made to specific directories or when certain USB devices are connected. Rather than just take screenshots, it can capture complete images of each opened window, allowing the entire window to be seen by the attackers should there be overlapping windows. The attackers are also cautious, ensuring that any temporary files used to store and exfiltrate data are secure deleted, making it impossible to recover their contents during any subsequent forensic investigation.
How Does It Propagate?
The malware does not contain the necessary code to self-propagate. The attack vector for this malware is unknown, mainly due to the lengthy dwell time, though there could be various methods utilized, including spear phishing or even physical access to the infected systems.
When/How Did BluVector Detect It?
A single sample is publicly available and BluVector’s patented Machine Learning Engine (MLE) detected it. Regression testing has shown that despite the sample first being uploaded to VirusTotal in May 2014, the sample would still have been detected a further three months prior to even that date.