Powerful InvisiMole malware can spy on victims by turning infected computers into a video camera

• Threat actors behind the malware have likely been active since 2013.
• Malware can remotely activate a computer’s webcam and microphone.

Security researchers have discovered a new malware dubbed InvisiMole that comes with advanced spying capabilities. The spyware, which has both 32-bit and 64-bit versions, has already targeted systems in Ukraine and Russia. It is believed to be a highly low-profile cyberespionage tool, given its limited scale of attacks.

According to security researchers at ESET who discovered the spyware, the hackers behind InvisiMole have likely been active since 2013. However, the malware’s low infection rate helped it remain undetected till now.

What can InvisiMole do?

InvisiMole comes with two feature-rich backdoors that help the attackers “gather as much information about the target as possible”. Alongside its data-stealing abilities, the malware is also capable of turning an infected computer into a video camera. It can remotely activate an infected system’s webcam and microphone and also take screenshots.

“What is particularly interesting about InvisiMole is that not only the usual “whole display” screenshots are taken – it can separately capture each window, which helps the attackers gain more information even when the windows are overlapped,” ESET researchers wrote in a blog.

InvisiMole also comes with other common spyware capabilities including file execution, registry key manipulation and 81 additional backdoor commands. It can also scan WiFi networks and record data such as SSID and MAC address of the visible Wi-Fi access points, which in turn, can help attackers track the victim’s location.

“The malware can inspect the infected computer and provide various data, from system information such as lists of active processes, running services, loaded drivers or available drives, to networking information, including the IP forward table and the speed of the internet connection,” ESET researchers noted. “The malware can be instructed to search for recently-used documents or other interesting files. It can monitor specific directories and removable devices, report any changes and exfiltrate files of the attackers’ choice.”

How did it stay undetected for so long?

According to researchers at ESET, InvisiMole tries to hide its malicious activities by wiping all traces of its footprints. For instance, it always restores the original file access or modification times to ensure that the victim remains unaware of its presence. The malware also safe-deletes all files that it stole, making it nearly impossible for the data to be recovered.

“The malware uses only a few techniques to avoid detection and analysis, yet, deployed against a very small number of high-value targets, it was able to stay under the radar for at least five years,” ESET researchers said.

Although the identity of the threat actors behind InvisiMole and when it was created is still unknown, the sheer volume of spy features that the malware possesses could indicate the skill level of the malware’s authors. The low-infection rate of the malware could also suggest that the malware has, so far, only been used to target very specific individuals and/or organizations.

It still remains to be seen whether the cybercriminals behind the malware may become more active in the future.