Introduction
InvisiMole is a spyware application used by the InvisiMole Group since 2013. The InvisiMole Group, first analyzed in depth by ESET researchers in 2018, has been shown to have a strategic partnership with another APT group known as the Gamaredon group.
This collaboration is not merely a loose alliance but a highly structured, tiered operational model. Gamaredon, known for its “noisy and reckless” but widespread campaigns, acts as a spearhead, using broad-spectrum initial access vectors to compromise a large number of targets with relatively simple malware. From this wide pool of compromised systems, the operators identify targets of high value. These select victims are then “upgraded” with the deployment of InvisiMole’s more sophisticated and stealthy arsenal.
This two-stage approach is efficient, leveraging a low-cost, wide-net tool for reconnaissance and initial access, while reserving the high-cost, high-capability InvisiMole implants for missions where deep, persistent espionage is the primary objective. This methodology allows the InvisiMole group to minimize the exposure of its most advanced tools and operate under the radar with remarkable success.
This report provides a protocol-level deconstruction of InvisiMole’s command and control (C2) communications infrastructure. It dissects the group’s core architectural components, its diverse and situationally-aware communication protocols, its session management and tasking logic, and its systematic playbook for data exfiltration. By reverse-engineering the operational lifecycle of InvisiMole’s C2, this report aims to provide a detailed blueprint for understanding and countering this elusive threat.
Architectural Overview of InvisiMole’s C2 Framework
The InvisiMole C2 framework is not a monolithic entity but a modular and evolving ecosystem of components, each designed for a specific role in the attack lifecycle. The architecture has progressed from a pair of powerful, all-in-one backdoors to a more flexible system incorporating specialized downloaders and droppers.
This design allows the operators to tailor their deployment strategy based on the target environment and operational requirements, balancing the need for speed, stealth, and long-term persistence.
The Core Backdoor Modules: RC2FM and RC2CL
At the heart of the InvisiMole toolset, as first documented in 2018, are two powerful, feature-rich backdoor modules named RC2FM and RC2CL. These components are typically delivered together, loaded by a single wrapper DLL, and provides the attackers with comprehensive control and spying capabilities over a compromised system.
RC2FM
This is the smaller of the two core modules, containing a backdoor with 15 supported commands. Its functionality is primarily geared towards direct system interaction, modification, and a focused set of espionage tasks.
Its capabilities include:
- Listing information about drives and files,
- Performing file system operations (create, move, delete),
- Executing files, and
- Manipulating the registry.
More critically for espionage, it can be commanded to take screenshots of the victim’s desktop and remotely activate the microphone to capture and record ambient audio.
For the latter, it demonstrates a notable “living off the land” tendency by downloading and misusing a legitimate library, lame.dll, to encode the captured audio into the MP3 format for efficient exfiltration.
RC2CL
The larger and significantly more complex module, RC2CL acts as the primary espionage workhorse of the toolkit. It supports at least 84 distinct commands, focusing on passive data collection and system reconnaissance rather than system modification. Its capabilities are vast and indicative of a mature intelligence-gathering tool.
It can enumerate detailed system information, including lists of active processes, running services, loaded drivers, and network configuration data such as the IP forwarding table.
It is also capable of scanning for enabled wireless networks, collecting the SSID and MAC addresses of visible access points, which can be used to geolocate the victim by cross-referencing public Wi-Fi databases.
A particularly advanced feature is its ability to bypass User Account Control (UAC) to manipulate files in protected locations without administrator privileges.
Most notably, the RC2CL module contains the logic to transform itself into an internal network proxy, a sophisticated capability designed to navigate and control systems within segmented enterprise networks.
Wrapper DLL
Both RC2FM and RC2CL are embedded as encrypted resources within a wrapper DLL. This DLL often masquerades as a legitimate Windows library, such as mpr.dll, complete with a forged version information resource to appear benign.
The primary persistence and execution method observed is DLL search order hijacking. The malicious mpr.dll is placed in the same folder as explorer.exe, causing Windows to load it into the Explorer process during startup instead of the legitimate library from the System32 directory.
The wrapper then decrypts and loads the RC2FM and RC2CL modules into memory before loading the legitimate library to ensure normal system operation is not disrupted, thereby maintaining stealth.
TCP and DNS-based Payload Delivery
Analysis of newer InvisiMole campaigns revealed an evolution in the initial stages of infection. Instead of deploying the full backdoor suite immediately, the attackers now use smaller, more specialized downloader components to establish the initial foothold and fetch the main payloads.
TCP Downloader
This is a simple component whose sole purpose is to download and execute the next stage of the attack over a standard TCP connection. Its simplicity suggests it is used in scenarios where speed of deployment is prioritized over long-term stealth, likely for the initial “upgrade” from a Gamaredon infection to the InvisiMole framework.
DNS Downloader (TunnelMole)
In contrast to the TCP downloader, the DNS Downloader is designed for maximum stealth and long-term, covert access. It leverages a custom implementation of DNS tunnelling to establish a C2 channel, embedding its communications within DNS queries and replies. I’ll deconstruct the actual mechanics of this function further below.
The LoadEdge Backdoor
In March 2022, the Computer Emergency Response Team of Ukraine (CERT-UA) issued an alert (CERT-UA#4213) detailing a new wave of attacks against Ukrainian state organizations. This activity was attributed to the group UAC-0035, which is publicly linked to InvisiMole, and featured a newer backdoor named LoadEdge.
LoadEdge is a backdoor written in C++ that appears to be a functional evolution of the simpler TCP downloader, incorporating more extensive backdoor capabilities directly into the first-stage implant. It is delivered through a multi-stage phishing campaign that begins with an email containing a malicious ZIP archive.
Inside the archive is an LNK (shortcut) file, which, when executed, downloads and runs an HTA (HTML Application) file. This HTA file contains VBScript code that ultimately deploys the LoadEdge DLL.
LoadEdge represents a modernization of InvisiMole’s C2 protocol. Instead of the custom binary protocols of its predecessors, it communicates over HTTP using data structured in the JSON format, which is more common in modern web traffic and is potentially harder to distinguish from legitimate applications.
Once active, LoadEdge acts as a versatile initial access tool, capable of executing a range of commands for file system operations, file transfers, and even spawning a reverse shell. Crucially, it is used to download and execute further payloads from the InvisiMole arsenal, including the classic RC2CL backdoor and the highly stealthy TunnelMole DNS downloader.
C2 Protocol Analysis
The InvisiMole toolset employs a diverse range of C2 protocols, carefully selected based on the operational stage, the target’s security posture, and the required balance between communication speed and stealth.
HTTP-Based C2s
HTTP and HTTPS are the most common protocols used for C2 communication in general, owing to the fact that this type of traffic traffic is ubiquitous in any enterprise network. InvisiMole leverages this fact with its RC2FM and LoadEdge components.
RC2FM
The RC2FM backdoor uses standard HTTP GET and POST requests for its C2 communication, a classic technique where the former is used for the check-in request, while the latter is used to transfer data.
The POST payloads are encrypted using a simple XOR-based cipher and contains a unique identifier for the compromised PC along with a timestamp. providing a basic host identification for the C2 server.
A particularly interesting feature of RC2FM is its environmental awareness for network egress. It first attempts a direct connection to its C2 servers. If this fails due to for example firewall restrictions, it will start to actively query the system for configured proxy settings and attempts to use them.
Going a step further, it inspects the list of recently executed applications to find executables for portable web browsers, such as FirefoxPortable.exe and OperaPortable.exe. If found, it will parse their configuration files to extract and use any proxy settings defined within them.
LoadEdge
The LoadEdge backdoor, while still using HTTP/S, also serializes data using JSON instead of the custom binary formats seen in some of the older modules. Since JSON is the de facto standard for modern web APIs, it allows LoadEdge’s C2 traffic to further blend in with the background of legitimate traffic.
Persistence for this component is typically achieved when the initial HTA dropper creates a Run key in the Windows Registry. This key executes rundll32.exe to load the malicious DLL, which is often furnished with a benign-sounding name like EdgeNotification.dll.