Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

InvisiMole

InvisiMole is a modular spyware program that has been used by the InvisiMole Group since at least 2013. InvisiMole has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. Gamaredon Group infrastructure has been used to download and execute InvisiMole against a small number of victims.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)
ID: S0260
Type: MALWARE
Platforms: Windows
Version: 2.1
Created: 17 Oct 2018
Last Modified: 29 Nov 2021

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

InvisiMole can use fileless UAC bypass and create an elevated COM object to escalate privileges.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)

Enterprise T1087 .001 Account Discovery: Local Account

InvisiMole has a command to list account information on the victim’s machine.(Citation: ESET InvisiMole June 2018)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

InvisiMole uses HTTP for C2 communications.(Citation: ESET InvisiMole June 2018)

.004 Application Layer Protocol: DNS

InvisiMole has used a custom implementation of DNS tunneling to embed C2 communications in DNS requests and replies.(Citation: ESET InvisiMole June 2020)

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

InvisiMole uses WinRAR to compress data that is intended to be exfiltrated.(Citation: ESET InvisiMole June 2018)

.002 Archive Collected Data: Archive via Library

InvisiMole can use zlib to compress and decompress data.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)

.003 Archive Collected Data: Archive via Custom Method

InvisiMole uses a variation of the XOR cipher to encrypt files before exfiltration.(Citation: ESET InvisiMole June 2018)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

InvisiMole can place a lnk file in the Startup Folder to achieve persistence.(Citation: ESET InvisiMole June 2020)

.009 Boot or Logon Autostart Execution: Shortcut Modification

InvisiMole can use a .lnk shortcut for the Control Panel to establish persistence.(Citation: ESET InvisiMole June 2020)

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

InvisiMole can launch a remote shell to execute commands.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)

.007 Command and Scripting Interpreter: JavaScript

InvisiMole can use a JavaScript file as part of its execution chain.(Citation: ESET InvisiMole June 2020)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

InvisiMole can register a Windows service named CsPower as part of its execution chain, and a Windows service named clr_optimization_v2.0.51527_X86 to achieve persistence.(Citation: ESET InvisiMole June 2020)

Enterprise T1132 .002 Data Encoding: Non-Standard Encoding

InvisiMole can use a modified base32 encoding to encode data within the subdomain of C2 requests.(Citation: ESET InvisiMole June 2020)

Enterprise T1001 .003 Data Obfuscation: Protocol or Service Impersonation

InvisiMole can mimic HTTP protocol with custom HTTP “verbs” HIDE, ZVVP, and NOP.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)

Enterprise T1074 .001 Data Staged: Local Data Staging

InvisiMole determines a working directory where it stores all the gathered data about the compromised machine.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

InvisiMole uses variations of a simple XOR encryption routine for C&C communications.(Citation: ESET InvisiMole June 2018)

Enterprise T1480 .001 Execution Guardrails: Environmental Keying

InvisiMole can use Data Protection API to encrypt its components on the victim’s computer, to evade detection, and to make sure the payload can only be decrypted and loaded on one specific compromised computer.(Citation: ESET InvisiMole June 2020)

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

InvisiMole can create hidden system directories.(Citation: ESET InvisiMole June 2020)

.003 Hide Artifacts: Hidden Window

InvisiMole has executed legitimate tools in hidden windows.(Citation: ESET InvisiMole June 2020)

Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

InvisiMole can be launched by using DLL search order hijacking in which the wrapper DLL is placed in the same folder as explorer.exe and loaded during startup into the Windows Explorer process instead of the legitimate library.(Citation: ESET InvisiMole June 2018)

Enterprise T1562 .004 Impair Defenses: Disable or Modify System Firewall

InvisiMole has a command to disable routing and the Firewall on the victim’s machine.(Citation: ESET InvisiMole June 2018)

Enterprise T1070 .004 Indicator Removal: File Deletion

InvisiMole has deleted files and directories including XML and files successfully uploaded to C2 servers.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)

.005 Indicator Removal: Network Share Connection Removal

InvisiMole can disconnect previously connected remote drives.(Citation: ESET InvisiMole June 2018)

.006 Indicator Removal: Timestomp

InvisiMole samples were timestomped by the authors by setting the PE timestamps to all zero values. InvisiMole also has a built-in command to modify file times.(Citation: ESET InvisiMole June 2018)

Enterprise T1056 .001 Input Capture: Keylogging

InvisiMole can capture keystrokes on a compromised host.(Citation: ESET InvisiMole June 2020)

Enterprise T1559 .001 Inter-Process Communication: Component Object Model

InvisiMole can use the ITaskService, ITaskDefinition and ITaskSettings COM interfaces to schedule a task.(Citation: ESET InvisiMole June 2020)

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

InvisiMole has attempted to disguise itself by registering under a seemingly legitimate service name.(Citation: ESET InvisiMole June 2020)

.005 Masquerading: Match Legitimate Name or Location

InvisiMole has disguised its droppers as legitimate software or documents, matching their original names and locations, and saved its files as mpr.dll in the Windows folder.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)

Enterprise T1027 .005 Obfuscated Files or Information: Indicator Removal from Tools

InvisiMole has undergone regular technical improvements in an attempt to evade detection.(Citation: ESET InvisiMole June 2020)

Enterprise T1055 .002 Process Injection: Portable Executable Injection

InvisiMole can inject its backdoor as a portable executable into a target process.(Citation: ESET InvisiMole June 2020)

.004 Process Injection: Asynchronous Procedure Call

InvisiMole can inject its code into a trusted process via the APC queue.(Citation: ESET InvisiMole June 2020)

.015 Process Injection: ListPlanting

InvisiMole has used ListPlanting to inject code into a trusted process.(Citation: ESET InvisiMole June 2020)

Enterprise T1090 .001 Proxy: Internal Proxy

InvisiMole can function as a proxy to create a server that relays communication between the client and C&C server, or between two clients.(Citation: ESET InvisiMole June 2018)

.002 Proxy: External Proxy

InvisiMole InvisiMole can identify proxy servers used by the victim and use them for C2 communication.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

InvisiMole has used scheduled tasks named MSST and \Microsoft\Windows\Autochk\Scheduled to establish persistence.(Citation: ESET InvisiMole June 2020)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

InvisiMole can check for the presence of network sniffers, AV, and BitDefender firewall.(Citation: ESET InvisiMole June 2020)

Enterprise T1218 .002 System Binary Proxy Execution: Control Panel

InvisiMole can register itself for execution and persistence via the Control Panel.(Citation: ESET InvisiMole June 2020)

.011 System Binary Proxy Execution: Rundll32

InvisiMole has used rundll32.exe for execution.(Citation: ESET InvisiMole June 2020)

Enterprise T1569 .002 System Services: Service Execution

InvisiMole has used Windows services as a way to execute its malicious payload.(Citation: ESET InvisiMole June 2020)

Enterprise T1204 .002 User Execution: Malicious File

InvisiMole can deliver trojanized versions of software and documents, relying on user execution.(Citation: ESET InvisiMole June 2020)

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

InvisiMole can check for artifacts of VirtualBox, Virtual PC and VMware environment, and terminate itself if they are detected.(Citation: ESET InvisiMole June 2020)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.