After five years, the InvisiMole spyware isn't so invisible anymore
A small number of webcams in offices and homes are being targeted by a spyware dubbed InvisiMole, which has been active (and hidden) since at least 2013.
Security firm ESET posted an alert about the spyware last week, and says that malware has only been hidden for so long because it is highly-targeted.
InvisiMole is able to turn the affected computer into a video camera, which allows the attackers see and hear what’s going on around their intended victim. Attackers can then ‘closely monitor the victim’s activities and steal the victim’s secrets.
According to ESET senior research fellow Nick FitzGerald, the telemetry behind the malware suggests it is at least five years old, but it wasn’t detected or analysed until it was discovered on computers in the Ukraine and Russia.
The malware so far has a low infection rate with only a few dozen computers reported to be compromised; however ESET warns that it is still a fully-equipped spyware that can easily compete with other espionage tools.
FitzGerald explains how InvisiMole works:
“InvisiMole has a modular architecture, starting with a wrapper DLL and performing its spying activities using two other modules that are embedded in its resources. Both of these modules are feature-rich backdoors, which, together, provide the ability to gather as much information about the target as possible. Extra measures are taken to avoid attracting the attention of the compromised user, letting the malware reside on the system for longer.” “The malware can also intrude on the victim’s privacy by taking screenshots, which is another of the backdoor commands. The malware also monitors all fixed and removable drives mapped on the local system. Whenever a new drive is inserted, it creates a list of all the files on the drive and stores it encrypted in a file,” he says.
ESET further explains that the malware can also be instructed to look for recently used documents or other interesting files.
“The malware sniffs around interesting places on the system, reads recent documents or even modifies some files. This leaves traces on the system and could raise the victim’s suspicions as the time of the last access or modification of the files is changed with each such activity. To prevent this, the malware always restores the original file access or modification times, so that the user is unaware of its operation.”
FitzGerald adds that attackers can also collect all of this data. “All infection vectors are possible, including installation facilitated by physical access to the machine.”