InvisiMole
InvisiMole is a modular spyware program that has been used by the InvisiMole Group since at least 2013. InvisiMole has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. Gamaredon Group infrastructure has been used to download and execute InvisiMole against a small number of victims.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1025 | 从可移动介质获取数据 |
InvisiMole can collect jpeg files from connected MTP devices.[2] |
|
| Enterprise | T1005 | 从本地系统获取数据 |
InvisiMole can collect data from the system, and can monitor changes in specified directories.[1] |
|
| Enterprise | T1090 | .001 | 代理: Internal Proxy |
InvisiMole can function as a proxy to create a server that relays communication between the client and C&C server, or between two clients.[1] |
| .002 | 代理: External Proxy |
InvisiMole InvisiMole can identify proxy servers used by the victim and use them for C2 communication.[1][2] |
||
| Enterprise | T1036 | .004 | 伪装: Masquerade Task or Service |
InvisiMole has attempted to disguise itself by registering under a seemingly legitimate service name.[2] |
| .005 | 伪装: Match Legitimate Name or Location |
InvisiMole has disguised its droppers as legitimate software or documents, matching their original names and locations, and saved its files as mpr.dll in the Windows folder.[1][2] |
||
| Enterprise | T1112 | 修改注册表 |
InvisiMole has a command to create, set, copy, or delete a specified Registry key or value.[1][2] |
|
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
InvisiMole can register a Windows service named CsPower as part of its execution chain, and a Windows service named clr_optimization_v2.0.51527_X86 to achieve persistence.[2] |
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
InvisiMole uses variations of a simple XOR encryption routine for C&C communications.[1] |
| Enterprise | T1574 | .001 | 劫持执行流: DLL Search Order Hijacking |
InvisiMole can be launched by using DLL search order hijacking in which the wrapper DLL is placed in the same folder as explorer.exe and loaded during startup into the Windows Explorer process instead of the legitimate library.[1] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
InvisiMole can decrypt, unpack and load a DLL from its resources, or from blobs encrypted with Data Protection API, two-key triple DES, and variations of the XOR cipher.[1][2] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
InvisiMole can place a lnk file in the Startup Folder to achieve persistence.[2] |
| .009 | 启动或登录自动启动执行: Shortcut Modification |
InvisiMole can use a .lnk shortcut for the Control Panel to establish persistence.[2] |
||
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
InvisiMole can launch a remote shell to execute commands.[1][2] |
| .007 | 命令与脚本解释器: JavaScript |
InvisiMole can use a JavaScript file as part of its execution chain.[2] |
||
| Enterprise | T1008 | 回退信道 |
InvisiMole has been configured with several servers available for alternate C2 communications.[1][2] |
|
| Enterprise | T1562 | .004 | 妨碍防御: Disable or Modify System Firewall |
InvisiMole has a command to disable routing and the Firewall on the victim’s machine.[1] |
| Enterprise | T1203 | 客户端执行漏洞利用 |
InvisiMole has installed legitimate but vulnerable Total Video Player software and wdigest.dll library drivers on compromised hosts to exploit stack overflow and input validation vulnerabilities for code execution.[2] |
|
| Enterprise | T1113 | 屏幕捕获 |
InvisiMole can capture screenshots of not only the entire screen, but of each separate window open, in case they are overlapping.[1][2] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
InvisiMole uses HTTP for C2 communications.[1] |
| .004 | 应用层协议: DNS |
InvisiMole has used a custom implementation of DNS tunneling to embed C2 communications in DNS requests and replies.[2] |
||
| Enterprise | T1010 | 应用窗口发现 |
InvisiMole can enumerate windows and child windows on a compromised host.[1][2] |
|
| Enterprise | T1560 | .001 | 归档收集数据: Archive via Utility |
InvisiMole uses WinRAR to compress data that is intended to be exfiltrated.[1] |
| .002 | 归档收集数据: Archive via Library |
InvisiMole can use zlib to compress and decompress data.[1][2] |
||
| .003 | 归档收集数据: Archive via Custom Method |
InvisiMole uses a variation of the XOR cipher to encrypt files before exfiltration.[1] |
||
| Enterprise | T1480 | .001 | 执行保护: Environmental Keying |
InvisiMole can use Data Protection API to encrypt its components on the victim’s computer, to evade detection, and to make sure the payload can only be decrypted and loaded on one specific compromised computer.[2] |
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging |
InvisiMole determines a working directory where it stores all the gathered data about the compromised machine.[1][2] |
| Enterprise | T1001 | .003 | 数据混淆: Protocol or Service Impersonation |
InvisiMole can mimic HTTP protocol with custom HTTP "verbs" HIDE, ZVVP, and NOP.[1][2] |
| Enterprise | T1132 | .002 | 数据编码: Non-Standard Encoding |
InvisiMole can use a modified base32 encoding to encode data within the subdomain of C2 requests.[2] |
| Enterprise | T1083 | 文件和目录发现 |
InvisiMole can list information about files in a directory and recently opened or used documents. InvisiMole can also search for specific files by supplied file mask.[1] |
|
| Enterprise | T1106 | 本机API |
InvisiMole can use winapiexec tool for indirect execution of |
|
| Enterprise | T1068 | 权限提升漏洞利用 |
InvisiMole has exploited CVE-2007-5633 vulnerability in the speedfan.sys driver to obtain kernel mode privileges.[2] |
|
| Enterprise | T1012 | 查询注册表 |
InvisiMole can enumerate Registry values, keys, and data.[1] |
|
| Enterprise | T1080 | 污染共享内容 |
InvisiMole can replace legitimate software or documents in the compromised network with their trojanized versions, in an attempt to propagate itself within the network.[2] |
|
| Enterprise | T1027 | 混淆文件或信息 |
InvisiMole avoids analysis by encrypting all strings, internal files, configuration data and by using a custom executable format.[1][2] |
|
| .005 | Indicator Removal from Tools |
InvisiMole has undergone regular technical improvements in an attempt to evade detection.[2] |
||
| Enterprise | T1548 | .002 | 滥用权限提升控制机制: Bypass User Account Control |
InvisiMole can use fileless UAC bypass and create an elevated COM object to escalate privileges.[1][2] |
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
InvisiMole can deliver trojanized versions of software and documents, relying on user execution.[2] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
InvisiMole has deleted files and directories including XML and files successfully uploaded to C2 servers.[1][2] |
| .005 | 移除指标: Network Share Connection Removal |
InvisiMole can disconnect previously connected remote drives.[1] |
||
| .006 | 移除指标: Timestomp |
InvisiMole samples were timestomped by the authors by setting the PE timestamps to all zero values. InvisiMole also has a built-in command to modify file times.[1] |
||
| Enterprise | T1218 | .002 | 系统二进制代理执行: Control Panel |
InvisiMole can register itself for execution and persistence via the Control Panel.[2] |
| .011 | 系统二进制代理执行: Rundll32 |
InvisiMole has used rundll32.exe for execution.[2] |
||
| Enterprise | T1082 | 系统信息发现 |
InvisiMole can gather information on the mapped drives, OS version, computer name, DEP policy, memory size, and system volume serial number.[1][2] |
|
| Enterprise | T1490 | 系统恢复抑制 |
InvisiMole can can remove all system restore points.[1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
InvisiMole lists local users and session information.[1] |
|
| Enterprise | T1124 | 系统时间发现 |
InvisiMole gathers the local system time from the victim’s machine.[1][2] |
|
| Enterprise | T1569 | .002 | 系统服务: Service Execution |
InvisiMole has used Windows services as a way to execute its malicious payload.[2] |
| Enterprise | T1007 | 系统服务发现 |
InvisiMole can obtain running services on the victim.[1] |
|
| Enterprise | T1016 | 系统网络配置发现 |
InvisiMole gathers information on the IP forwarding table, MAC address, configured proxy, and network SSID.[1][2] |
|
| Enterprise | T1135 | 网络共享发现 |
InvisiMole can gather network share information.[1] |
|
| Enterprise | T1046 | 网络服务发现 |
InvisiMole can scan the network for open ports and vulnerable instances of RDP and SMB protocols.[2] |
|
| Enterprise | T1119 | 自动化收集 |
InvisiMole can sort and collect specific documents as well as generate a list of all files on a newly inserted drive and store them in an encrypted file.[1][2] |
|
| Enterprise | T1497 | .001 | 虚拟化/沙盒规避: System Checks |
InvisiMole can check for artifacts of VirtualBox, Virtual PC and VMware environment, and terminate itself if they are detected.[2] |
| Enterprise | T1125 | 视频捕获 |
InvisiMole can remotely activate the victim’s webcam to capture content.[1][2] |
|
| Enterprise | T1087 | .001 | 账号发现: Local Account |
InvisiMole has a command to list account information on the victim’s machine.[1] |
| Enterprise | T1518 | 软件发现 |
InvisiMole can collect information about installed software used by specific users, software executed on user login, and software executed by each system.[1][2] |
|
| .001 | Security Software Discovery |
InvisiMole can check for the presence of network sniffers, AV, and BitDefender firewall.[2] |
||
| Enterprise | T1105 | 输入工具传输 |
InvisiMole can upload files to the victim's machine for operations.[1][2] |
|
| Enterprise | T1056 | .001 | 输入捕获: Keylogging |
InvisiMole can capture keystrokes on a compromised host.[2] |
| Enterprise | T1057 | 进程发现 |
InvisiMole can obtain a list of running processes.[1][2] |
|
| Enterprise | T1055 | 进程注入 |
InvisiMole can inject itself into another process to avoid detection including use of a technique called ListPlanting that customizes the sorting algorithm in a ListView structure.[2] |
|
| .002 | Portable Executable Injection |
InvisiMole can inject its backdoor as a portable executable into a target process.[2] |
||
| .004 | Asynchronous Procedure Call |
InvisiMole can inject its code into a trusted process via the APC queue.[2] |
||
| .015 | ListPlanting |
InvisiMole has used ListPlanting to inject code into a trusted process.[2] |
||
| Enterprise | T1559 | .001 | 进程间通信: Component Object Model |
InvisiMole can use the |
| Enterprise | T1210 | 远程服务漏洞利用 |
InvisiMole can spread within a network via the BlueKeep (CVE-2019-0708) and EternalBlue (CVE-2017-0144) vulnerabilities in RDP and SMB respectively.[2] |
|
| Enterprise | T1564 | .001 | 隐藏伪装: Hidden Files and Directories |
InvisiMole can create hidden system directories.[2] |
| .003 | 隐藏伪装: Hidden Window |
InvisiMole has executed legitimate tools in hidden windows.[2] |
||
| Enterprise | T1095 | 非应用层协议 |
InvisiMole has used TCP to download additional modules.[2] |
|
| Enterprise | T1123 | 音频捕获 |
InvisiMole can record sound using input audio devices.[1][2] |
|
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
InvisiMole has used scheduled tasks named |