InvisiMole
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
InvisiMole can use fileless UAC bypass and create an elevated COM object to escalate privileges.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020) |
Enterprise | T1087 | .001 | Account Discovery: Local Account |
InvisiMole has a command to list account information on the victim’s machine.(Citation: ESET InvisiMole June 2018) |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
InvisiMole uses HTTP for C2 communications.(Citation: ESET InvisiMole June 2018) |
.004 | Application Layer Protocol: DNS |
InvisiMole has used a custom implementation of DNS tunneling to embed C2 communications in DNS requests and replies.(Citation: ESET InvisiMole June 2020) |
||
Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
InvisiMole uses WinRAR to compress data that is intended to be exfiltrated.(Citation: ESET InvisiMole June 2018) |
.002 | Archive Collected Data: Archive via Library |
InvisiMole can use zlib to compress and decompress data.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020) |
||
.003 | Archive Collected Data: Archive via Custom Method |
InvisiMole uses a variation of the XOR cipher to encrypt files before exfiltration.(Citation: ESET InvisiMole June 2018) |
||
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
InvisiMole can place a lnk file in the Startup Folder to achieve persistence.(Citation: ESET InvisiMole June 2020) |
.009 | Boot or Logon Autostart Execution: Shortcut Modification |
InvisiMole can use a .lnk shortcut for the Control Panel to establish persistence.(Citation: ESET InvisiMole June 2020) |
||
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
InvisiMole can launch a remote shell to execute commands.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020) |
.007 | Command and Scripting Interpreter: JavaScript |
InvisiMole can use a JavaScript file as part of its execution chain.(Citation: ESET InvisiMole June 2020) |
||
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
InvisiMole can register a Windows service named CsPower as part of its execution chain, and a Windows service named clr_optimization_v2.0.51527_X86 to achieve persistence.(Citation: ESET InvisiMole June 2020) |
Enterprise | T1132 | .002 | Data Encoding: Non-Standard Encoding |
InvisiMole can use a modified base32 encoding to encode data within the subdomain of C2 requests.(Citation: ESET InvisiMole June 2020) |
Enterprise | T1001 | .003 | Data Obfuscation: Protocol or Service Impersonation |
InvisiMole can mimic HTTP protocol with custom HTTP “verbs” HIDE, ZVVP, and NOP.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020) |
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
InvisiMole determines a working directory where it stores all the gathered data about the compromised machine.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020) |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
InvisiMole uses variations of a simple XOR encryption routine for C&C communications.(Citation: ESET InvisiMole June 2018) |
Enterprise | T1480 | .001 | Execution Guardrails: Environmental Keying |
InvisiMole can use Data Protection API to encrypt its components on the victim’s computer, to evade detection, and to make sure the payload can only be decrypted and loaded on one specific compromised computer.(Citation: ESET InvisiMole June 2020) |
Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
InvisiMole can create hidden system directories.(Citation: ESET InvisiMole June 2020) |
.003 | Hide Artifacts: Hidden Window |
InvisiMole has executed legitimate tools in hidden windows.(Citation: ESET InvisiMole June 2020) |
||
Enterprise | T1574 | .001 | Hijack Execution Flow: DLL Search Order Hijacking |
InvisiMole can be launched by using DLL search order hijacking in which the wrapper DLL is placed in the same folder as explorer.exe and loaded during startup into the Windows Explorer process instead of the legitimate library.(Citation: ESET InvisiMole June 2018) |
Enterprise | T1562 | .004 | Impair Defenses: Disable or Modify System Firewall |
InvisiMole has a command to disable routing and the Firewall on the victim’s machine.(Citation: ESET InvisiMole June 2018) |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
InvisiMole has deleted files and directories including XML and files successfully uploaded to C2 servers.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020) |
.005 | Indicator Removal: Network Share Connection Removal |
InvisiMole can disconnect previously connected remote drives.(Citation: ESET InvisiMole June 2018) |
||
.006 | Indicator Removal: Timestomp |
InvisiMole samples were timestomped by the authors by setting the PE timestamps to all zero values. InvisiMole also has a built-in command to modify file times.(Citation: ESET InvisiMole June 2018) |
||
Enterprise | T1056 | .001 | Input Capture: Keylogging |
InvisiMole can capture keystrokes on a compromised host.(Citation: ESET InvisiMole June 2020) |
Enterprise | T1559 | .001 | Inter-Process Communication: Component Object Model |
InvisiMole can use the |
Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
InvisiMole has attempted to disguise itself by registering under a seemingly legitimate service name.(Citation: ESET InvisiMole June 2020) |
.005 | Masquerading: Match Legitimate Name or Location |
InvisiMole has disguised its droppers as legitimate software or documents, matching their original names and locations, and saved its files as mpr.dll in the Windows folder.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020) |
||
Enterprise | T1027 | .005 | Obfuscated Files or Information: Indicator Removal from Tools |
InvisiMole has undergone regular technical improvements in an attempt to evade detection.(Citation: ESET InvisiMole June 2020) |
Enterprise | T1055 | .002 | Process Injection: Portable Executable Injection |
InvisiMole can inject its backdoor as a portable executable into a target process.(Citation: ESET InvisiMole June 2020) |
.004 | Process Injection: Asynchronous Procedure Call |
InvisiMole can inject its code into a trusted process via the APC queue.(Citation: ESET InvisiMole June 2020) |
||
.015 | Process Injection: ListPlanting |
InvisiMole has used ListPlanting to inject code into a trusted process.(Citation: ESET InvisiMole June 2020) |
||
Enterprise | T1090 | .001 | Proxy: Internal Proxy |
InvisiMole can function as a proxy to create a server that relays communication between the client and C&C server, or between two clients.(Citation: ESET InvisiMole June 2018) |
.002 | Proxy: External Proxy |
InvisiMole InvisiMole can identify proxy servers used by the victim and use them for C2 communication.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020) |
||
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
InvisiMole has used scheduled tasks named |
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
InvisiMole can check for the presence of network sniffers, AV, and BitDefender firewall.(Citation: ESET InvisiMole June 2020) |
Enterprise | T1218 | .002 | System Binary Proxy Execution: Control Panel |
InvisiMole can register itself for execution and persistence via the Control Panel.(Citation: ESET InvisiMole June 2020) |
.011 | System Binary Proxy Execution: Rundll32 |
InvisiMole has used rundll32.exe for execution.(Citation: ESET InvisiMole June 2020) |
||
Enterprise | T1569 | .002 | System Services: Service Execution |
InvisiMole has used Windows services as a way to execute its malicious payload.(Citation: ESET InvisiMole June 2020) |
Enterprise | T1204 | .002 | User Execution: Malicious File |
InvisiMole can deliver trojanized versions of software and documents, relying on user execution.(Citation: ESET InvisiMole June 2020) |
Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
InvisiMole can check for artifacts of VirtualBox, Virtual PC and VMware environment, and terminate itself if they are detected.(Citation: ESET InvisiMole June 2020) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.