ESET has published in its official blog a technical article detailing InvisiMole, a malware that can not only control the webcam and the microphone of a computer, but also make "printscreen" what is visible on the screen.
The method involves turning the target computer into a camcorder, allowing viewers to see and hear what goes on with the victim, whether at home, at the office, or elsewhere. According to ESET, this malware has been active since 2013; however, the cyberspace tool was never analyzed or detected until it was discovered by ESET products on computers that had been attacked in Ukraine and Russia.
InvisiMole has a modular architecture, that is, it starts by being a "wrapper" DLL (an application extension that provides a layer of compatibility with other software), and accomplishes its objectives with two other modules embedded in its resources. ESET has noted that the DLL is placed in the Windows folder by impersonating a legitimate file, called mpr.dll, fxsst.dll, or winmm.dll.
When it is placed in the Windows folder, the "wrapper" DLL is loaded directly into the Windows Explorer process during Windows startup, rather than in the folder that would be expected, System32. To get even more unnoticed, malware protects itself from administrators and analyst by encrypting its internal files, configuration data and network communication. One of the malware modules, called RC2FM, can even search the most recently used application lists, and search in particular for portable browser executables - Firefox, Opera, etc. If the victim runs one of these browsers with a configured proxy server, malware can find this information in user preferences and use that proxy to communicate with its own servers.
Through RC2FM, spyware can - on demand - remotely activate the target computer's microphone and record sounds. The resulting audio files are encoded to MP3 format through a lame.dll library. Another feature is to do "printscreen" - "shoot" what is visible on the screen, and to monitor all the fixed or removable drives in the local system. When a new drive is attached to the computer, the malware creates a list of all files on the drive and stores it in an encrypted file. An interesting element about InvisiMole is that it does not just register what is visible on the whole screen - you can also register each open window, even when they are superimposed.
The other module, called RC2CL, supports commands such as file system operations, execute files, manipulate registry keys or remote shell activation; according to ESET, this module supports 84 different, all potentially harmful commands - from listing active processes, network information (including IP tables) and usernames, to obtaining the SSID and the MAC address of visible Wi-Fi hotspots , in the latter case being possible to compare these data with public databases, allowing the interested parties to obtain the geographical location of the victim.
ESET found 32-bit and 64-bit versions of InvisiMole and makes it clear that, despite using a few techniques to go unnoticed, this malware was able to go unnoticed for at least five years. Also available in the article is a list of risk indicators so you can look for clues from InvisiMole on your computer.
0 Comments:
Post a Comment
Your comment and facebook share will be appreciated