New
#1
And people wonder why I remove the webcam software on my notebook and put tape over the camera lens.
This is the modus operandi of the two malicious components of InvisiMole. They turn the affected computer into a video camera, letting the attackers see and hear what’s going on in the victim’s office or wherever their device may be. Uninvited, InvisiMole’s operators access the system, closely monitoring the victim’s activities and stealing the victim’s secrets.
Our telemetry indicates that the malicious actors behind this malware have been active at least since 2013, yet the cyber-espionage tool was never analyzed nor detected until discovered by ESET products on compromised computers in Ukraine and Russia.
The campaign is highly targeted – no wonder the malware has a low infection ratio, with only a few dozen computers being affected.
InvisiMole has a modular architecture, starting its journey with a wrapper DLL, and performing its activities using two other modules that are embedded in its resources. Both of the modules are feature-rich backdoors, which together give it the ability to gather as much information about the target as possible.
Extra measures are taken to avoid attracting the attention of the compromised user, enabling the malware to reside on the system for a longer period of time. How the spyware was spread to the infected machines is yet to be determined by further investigation. All infection vectors are possible, including installation facilitated by physical access to the machine...
Conclusion
InvisiMole is fully-equipped spyware whose rich capabilities can surely compete with other espionage tools seen in the wild.
We can only wonder why the authors decided to use two modules with overlapping capabilities. One might think the smaller module, RC2FM, is used as an initial reconnaissance tool, while the bigger RC2CL module is only run on interesting targets. This is, however, not the case – both of the modules are launched simultaneously. Another possible explanation is that the modules might have been crafted by various authors and then bundled together to provide the malware operators a more complex range of functionalities.
The malware uses only a few techniques to avoid detection and analysis, yet, deployed against a very small number of high-value targets, it was able to stay under the radar for at least five years....
Read more: InvisiMole spyware hunting for secrets while staying deep in the shadows
See also: malware-ioc/invisimole at master - eset/malware-ioc - GitHub
And people wonder why I remove the webcam software on my notebook and put tape over the camera lens.
I use a simple plastic lens blocker to physically cover my lens. Sometimes the simplest solution (low tech) is the best solution.
Erm, Russia and the Ukraine affected - perhaps it's just Vladimir checking next years election results
how is protecting/covering lens going to stop users from accessing your content ? I don't use any protection but my system notifies me when ever webcam gets turned on. My laptop is only open when I am working other time it just sleeps face down when I'm not. Only thing they will be able to access is dark keyboard, lol !
Not a big webcam or skype user, so I rarely use a webcam these days. When it's not being used on my desktop systems I keep it unplugged, and I don't even have the drivers enabled or software installed for it on my laptop.
Because I'm paranoid my integrated camera is disabled in devise manager and the USB one is disconnected.