InvisiMole

Malware updated 4 days ago (2024-11-29T14:42:51.289Z)
Download STIX
Preview STIX
InvisiMole is a sophisticated malware with modular architecture, designed to infiltrate and exploit computer systems undetected. It begins its operation using a wrapper DLL and performs activities through two other modules embedded in its resources. Notably, the malware is capable of scanning enabled wireless networks on compromised systems, allowing it to gather more information about the network environment. The RC2FM module uses several encryption methods, primarily variations of simple XOR encryption routine, enhancing its stealth capabilities. Furthermore, InvisiMole has a unique feature where it captures not just whole display screenshots but also separate windows even when overlapped, providing attackers with more detailed information. The malware is associated with Russian government APT hacking groups, specifically UAC-0035, aka InvisiMole, which focuses on cyberespionage. Other active Russian APT groups include Gamaredon (also known as Actinium), APT28 (Strontium and Fancy Bear), and APT29 (Nobelium and Cozy Bear). InvisiMole has been involved in significant attacks against Ukraine, particularly during the second half of 2022, and is tied to the Gamaredon group. The malware was often delivered via phishing campaigns that targeted Ukrainian organizations, utilizing the LoadEdge backdoor for access. InvisiMole's operators are known for their stealthy approach, accessing systems uninvited, closely monitoring victims' activities, and stealing sensitive data. They often use pirated software torrents to deliver spyware, which can remain unnoticed for years. The Ukrainian officials have recognized InvisiMole as one of the "most dangerous cyber spying groups," emphasizing its focus on cyberespionage. Despite its stealthy operations, the increased activity of InvisiMole and related groups has been tracked and reported, alerting potential targets to their tactics.
Description last updated: 2024-05-04T19:20:19.465Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Spyware
russian
Russia
Espionage
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Gamaredon Threat Actor is associated with InvisiMole. Gamaredon, a Russia-aligned threat actor, has emerged as one of the most active Advanced Persistent Threat (APT) groups in Ukraine, particularly since Russia's 2022 invasion of the country. Composed of regular officers from the Russian Federal Security Service (FSB) and some former law enforcement oUnspecified
3