InvisiMole

InvisiMole is a sophisticated malware with modular architecture, designed to infiltrate and exploit computer systems undetected. It begins its operation using a wrapper DLL and performs activities through two other modules embedded in its resources. Notably, the malware is capable of scanning enabled wireless networks on compromised systems, allowing it to gather more information about the network environment. The RC2FM module uses several encryption methods, primarily variations of simple XOR encryption routine, enhancing its stealth capabilities. Furthermore, InvisiMole has a unique feature where it captures not just whole display screenshots but also separate windows even when overlapped, providing attackers with more detailed information. The malware is associated with Russian government APT hacking groups, specifically UAC-0035, aka InvisiMole, which focuses on cyberespionage. Other active Russian APT groups include Gamaredon (also known as Actinium), APT28 (Strontium and Fancy Bear), and APT29 (Nobelium and Cozy Bear). InvisiMole has been involved in significant attacks against Ukraine, particularly during the second half of 2022, and is tied to the Gamaredon group. The malware was often delivered via phishing campaigns that targeted Ukrainian organizations, utilizing the LoadEdge backdoor for access. InvisiMole's operators are known for their stealthy approach, accessing systems uninvited, closely monitoring victims' activities, and stealing sensitive data. They often use pirated software torrents to deliver spyware, which can remain unnoticed for years. The Ukrainian officials have recognized InvisiMole as one of the "most dangerous cyber spying groups," emphasizing its focus on cyberespionage. Despite its stealthy operations, the increased activity of InvisiMole and related groups has been tracked and reported, alerting potential targets to their tactics.