Time to cover your webcam? This stealthy spyware records video and audio

Sneaky malware is highly targeted and goes out the way to avoid detection - and nobody knows how it infects its victims.
Written by Danny Palmer, Senior Writer

A newly uncovered cyber-espionage malware tool is turning PCs into listening posts, enabling attackers to listen into conversations and take photos using the compromised machine.

Dubbed InvisiMole, the campaign has been active since 2013 but has only just been uncovered -- highlighting the especially stealthy nature of the attacks.

The malware has been detailed by researchers at ESET, after being discovered on compromised computers in Ukraine and Russia. It's believed that the campaign is highly targeted, with just a few dozen computers affected, but that the targets are high-profile and high-value to the attackers.

ESET said the malware turns the affected computer "into a video camera, letting the attackers see and hear what's going on in the victim's office or wherever their device may be".

Those behind the campaign have managed to cover their tracks so well that researchers are unsure who is behind InvisiMole, but one thing is for certain: the powerful nature of the tool puts it up there with spying campaigns conducted by some of the most sophisticated groups.

"InvisiMole is fully-equipped spyware whose rich capabilities can surely compete with other espionage tools seen in the wild," said Zuzana Hromcová, malware analyst at ESET.

See also: Ransomware: An executive guide to one of the biggest menaces on the web

Such is the under-the-radar nature of InvisiMole that researchers are still uncertain about how the payload is delivered to target machines, with all infection vectors currently deemed possible, including physical access to the computer itself.

What is known is that the malware is hidden within what's designed to look like software for providing compatibility between applications. This file -- disguised to look as it belongs where it is stored -- is what InvisiMole is run from and used to compromise the system.

In addition to this, InvisiMole hides itself from the infected victim -- and the network administrator -- by encrypting its strings, internal files, configuration data and network communication.

Within the malware is a module called RC2FM which creates a backdoor to the entire system and a selection of different commands which can be run on the infected computer when instructed to by the attackers.

These include the ability to record sound using the input audio devices of the machine and the ability to take screenshots of the infected computer. Researchers note that screenshots of each open window can be separately captured, allowing attackers to take screenshots of applications that are running in the background.

The malware also allows the attacker to open, create and delete files, list all the information about the system and more -- with the attackers careful not to leave evidence of this activity.

See: 17 tips for protecting Windows computers and Macs from ransomware (free PDF)

All of this information can be extracted to a command and control server run by the attackers, to be used for whatever nefarious purposes the cyber-espionage campaign is being carried out for. Attackers can also track the exact location of a device -- a useful tactic, if the infected computer is a laptop and is being transported around.

"InvisiMole is capable of scanning enabled wireless networks on the compromised system. It records information such as the SSID and MAC address of the visible Wi-Fi access points. This data can then be compared to public databases, letting the attackers track the geolocation of the victim," said Hromcová.

As the campaign has only just been uncovered, it is likely to still be actively carrying out attacks against its specially selected targets. Researchers have posted a full list of Indicators of Compromise.


Editorial standards