InvisiMole

InvisiMole can use fileless UAC bypass and create an elevated COM object to escalate privileges.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)

InvisiMole has a command to list account information on the victim’s machine.(Citation: ESET InvisiMole June 2018)

InvisiMole uses HTTP for C2 communications.(Citation: ESET InvisiMole June 2018)

InvisiMole uses WinRAR to compress data that is intended to be exfiltrated.(Citation: ESET InvisiMole June 2018)

InvisiMole can place a lnk file in the Startup Folder to achieve persistence.(Citation: ESET InvisiMole June 2020)

InvisiMole can launch a remote shell to execute commands.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)

InvisiMole can register a Windows service named CsPower as part of its execution chain, and a Windows service named clr_optimization_v2.0.51527_X86 to achieve persistence.(Citation: ESET InvisiMole June 2020)

InvisiMole can use a modified base32 encoding to encode data within the subdomain of C2 requests.(Citation: ESET InvisiMole June 2020)

InvisiMole can mimic HTTP protocol with custom HTTP “verbs” HIDE, ZVVP, and NOP.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)

InvisiMole determines a working directory where it stores all the gathered data about the compromised machine.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)

InvisiMole uses variations of a simple XOR encryption routine for C&C communications.(Citation: ESET InvisiMole June 2018)

InvisiMole can use Data Protection API to encrypt its components on the victim’s computer, to evade detection, and to make sure the payload can only be decrypted and loaded on one specific compromised computer.(Citation: ESET InvisiMole June 2020)

InvisiMole can create hidden system directories.(Citation: ESET InvisiMole June 2020)

InvisiMole can be launched by using DLL search order hijacking in which the wrapper DLL is placed in the same folder as explorer.exe and loaded during startup into the Windows Explorer process instead of the legitimate library.(Citation: ESET InvisiMole June 2018)

InvisiMole has a command to disable routing and the Firewall on the victim’s machine.(Citation: ESET InvisiMole June 2018)

InvisiMole has deleted files and directories including XML and files successfully uploaded to C2 servers.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)

InvisiMole can capture keystrokes on a compromised host.(Citation: ESET InvisiMole June 2020)

InvisiMole can use the ITaskService, ITaskDefinition and ITaskSettings COM interfaces to schedule a task.(Citation: ESET InvisiMole June 2020)

InvisiMole has attempted to disguise itself by registering under a seemingly legitimate service name.(Citation: ESET InvisiMole June 2020)

InvisiMole has undergone regular technical improvements in an attempt to evade detection.(Citation: ESET InvisiMole June 2020)

InvisiMole can inject its backdoor as a portable executable into a target process.(Citation: ESET InvisiMole June 2020)

InvisiMole can function as a proxy to create a server that relays communication between the client and C&C server, or between two clients.(Citation: ESET InvisiMole June 2018)

InvisiMole has used scheduled tasks named MSST and \Microsoft\Windows\Autochk\Scheduled to establish persistence.(Citation: ESET InvisiMole June 2020)

InvisiMole can check for the presence of network sniffers, AV, and BitDefender firewall.(Citation: ESET InvisiMole June 2020)

InvisiMole can register itself for execution and persistence via the Control Panel.(Citation: ESET InvisiMole June 2020)

InvisiMole has used Windows services as a way to execute its malicious payload.(Citation: ESET InvisiMole June 2020)

InvisiMole can deliver trojanized versions of software and documents, relying on user execution.(Citation: ESET InvisiMole June 2020)

InvisiMole can check for artifacts of VirtualBox, Virtual PC and VMware environment, and terminate itself if they are detected.(Citation: ESET InvisiMole June 2020)