Story image

After five years, the InvisiMole spyware isn't so invisible anymore

20 Jun 18

A small number of webcams in offices and homes are being targeted by a spyware dubbed InvisiMole, which has been active (and hidden) since at least 2013.

Security firm ESET posted an alert about the spyware last week, and says that malware has only been hidden for so long because it is highly-targeted.

InvisiMole is able to turn the affected computer into a video camera, which allows the attackers see and hear what’s going on around their intended victim. Attackers can then ‘closely monitor the victim’s activities and steal the victim’s secrets.

According to ESET senior research fellow Nick FitzGerald, the telemetry behind the malware suggests it is at least five years old, but it wasn’t detected or analysed until it was discovered on computers in the Ukraine and Russia.

The malware so far has a low infection rate with only a few dozen computers reported to be compromised; however ESET warns that it is still a fully-equipped spyware that can easily compete with other espionage tools.

FitzGerald explains how InvisiMole works:

“InvisiMole has a modular architecture, starting with a wrapper DLL and performing its spying activities using two other modules that are embedded in its resources. Both of these modules are feature-rich backdoors, which, together, provide the ability to gather as much information about the target as possible. Extra measures are taken to avoid attracting the attention of the compromised user, letting the malware reside on the system for longer.”

“The malware can also intrude on the victim’s privacy by taking screenshots, which is another of the backdoor commands. The malware also monitors all fixed and removable drives mapped on the local system. Whenever a new drive is inserted, it creates a list of all the files on the drive and stores it encrypted in a file,” he says.

ESET further explains that the malware can also be instructed to look for recently used documents or other interesting files.

“The malware sniffs around interesting places on the system, reads recent documents or even modifies some files. This leaves traces on the system and could raise the victim’s suspicions as the time of the last access or modification of the files is changed with each such activity. To prevent this, the malware always restores the original file access or modification times, so that the user is unaware of its operation.”

FitzGerald adds that attackers can also collect all of this data.

“All infection vectors are possible, including installation facilitated by physical access to the machine.” 

McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.
Google Cloud, Palo Alto Networks extend partnership
Google Cloud and Palo Alto Networks have extended their partnership to include more security features and customer support for all major public clouds.
Using blockchain to ensure regulatory compliance
“Data privacy regulations such as the GDPR require you to put better safeguards in place to protect customer data, and to prove you’ve done it."
A10 aims to secure Kubernetes container environments
The solution aims to provide teams deploying microservices applications with an automated way to integrate enterprise-grade security with comprehensive application visibility and analytics.
DigiCert conquers Google's distrust of Symantec certs
“This could have been an extremely disruptive event to online commerce," comments DigiCert CEO John Merrill.