Story image

After five years, the InvisiMole spyware isn't so invisible anymore

20 Jun 18

A small number of webcams in offices and homes are being targeted by a spyware dubbed InvisiMole, which has been active (and hidden) since at least 2013.

Security firm ESET posted an alert about the spyware last week, and says that malware has only been hidden for so long because it is highly-targeted.

InvisiMole is able to turn the affected computer into a video camera, which allows the attackers see and hear what’s going on around their intended victim. Attackers can then ‘closely monitor the victim’s activities and steal the victim’s secrets.

According to ESET senior research fellow Nick FitzGerald, the telemetry behind the malware suggests it is at least five years old, but it wasn’t detected or analysed until it was discovered on computers in the Ukraine and Russia.

The malware so far has a low infection rate with only a few dozen computers reported to be compromised; however ESET warns that it is still a fully-equipped spyware that can easily compete with other espionage tools.

FitzGerald explains how InvisiMole works:

“InvisiMole has a modular architecture, starting with a wrapper DLL and performing its spying activities using two other modules that are embedded in its resources. Both of these modules are feature-rich backdoors, which, together, provide the ability to gather as much information about the target as possible. Extra measures are taken to avoid attracting the attention of the compromised user, letting the malware reside on the system for longer.”

“The malware can also intrude on the victim’s privacy by taking screenshots, which is another of the backdoor commands. The malware also monitors all fixed and removable drives mapped on the local system. Whenever a new drive is inserted, it creates a list of all the files on the drive and stores it encrypted in a file,” he says.

ESET further explains that the malware can also be instructed to look for recently used documents or other interesting files.

“The malware sniffs around interesting places on the system, reads recent documents or even modifies some files. This leaves traces on the system and could raise the victim’s suspicions as the time of the last access or modification of the files is changed with each such activity. To prevent this, the malware always restores the original file access or modification times, so that the user is unaware of its operation.”

FitzGerald adds that attackers can also collect all of this data.

“All infection vectors are possible, including installation facilitated by physical access to the machine.” 

SonicWall secures hybrid clouds by simplifying firewall deployment
Once new products are brought online in remote locations, administrators can manage local and distributed networks.
What MSPs can learn from Datto’s Channel Ransomware Report
While there have been less high profile attacks making the headlines, the frequency of attacks is, in fact, increasing.
Cisco expands security capabilities of SD­-WAN portfolio
Until now, SD-­WAN solutions have forced IT to choose between application experience or security.
AlgoSec delivers native security management for Azure Firewall
AlgoSec’s new solution will allow a central management capability for Azure Firewall, Microsoft's new cloud-native firewall-as-a-service.
Kiwis losing $24.7mil to scam calls every year
The losses are almost five times higher compared to the same period last year, from reported losses alone.
How to configure your firewall for maximum effectiveness
ManageEngine offers some firewall best practices that can help security admins handle the conundrum of speed vs security.
Exclusive: Why Australian enterprises are prime targets for malware attacks
"Only 14% of Australian organisations are continuously training employees to spot cyber attacks."
Exclusive: Why botnets will swarm IoT devices
“What if these nodes were able to make autonomous decisions with minimal supervision, use their collective intelligence to solve problems?”