Kaspersky Lab uncovers ‘The Mask,’ advanced global cyber-espionage ops
By Digital News Asia February 12, 2014
- Primary targets include govt institutions, embassies, research organisations and activists
- Too sophisticated for cyber-criminals, suspected to be a state-sponsored operation
KASPERSKY Lab’s security research team has announced the discovery of ‘The Mask’ (aka Careto), an advanced Spanish-language speaking threat actor that has been involved in global cyber-espionage operations since at least 2007.
What makes The Mask special is the complexity of the toolset used by the attackers, the company said in a statrement. This includes an extremely sophisticated malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iOS.
The primary targets are government institutions, diplomatic offices and embassies, energy, oil and gas companies, research organisations and activists, Kaspersky Lab said.
Victims of this targeted attack have been found in 31 countries around the world – from the Middle East and Europe to Africa and the Americas.
The main objective of the attackers is to gather sensitive data from the infected systems, Kaspersky Lab said. These include office documents, various encryption keys, VPN (virtual private network) configurations, SSH (Secure Shell) keys (serving as a means of identifying a user to an SSH server) and RDP files (used by the Remote Desktop Client to automatically open a connection to the reserved computer).
“Several reasons make us believe this could be a nation-state sponsored campaign,” said Costin Raiu (pic), director of the Global Research and Analysis Team (GReAT) at Kaspersky Lab.
“First of all, we observed a very high degree of professionalism in the operational procedures of the group behind this attack, from infrastructure management, shutdown of the operation, avoiding curious eyes through access rules and using wiping instead of deletion of log files.
“These combine to put this APT ahead of Duqu in terms of sophistication, making it one of the most advanced threats at the moment,” he added. “This level of operational security is not normal for cyber-criminal groups.”
Kaspersky Lab said its researchers initially became aware of Careto last year when they observed attempts to exploit a vulnerability in the company’s products which was fixed five years ago. The exploit provided the malware the capability to avoid detection.
This situation raised their interest and this is how the investigation started, the company said.
For the victims, an infection with Careto can be disastrous. Careto intercepts all communication channels and collects the most vital information from the victim’s machine. Detection is extremely difficult because of stealth rootkit capabilities, built-in functionalities and additional cyber-espionage modules.
The authors appear to be native in the Spanish language which has been observed very rarely in APT (advanced persistent threat) attacks.
The campaign was active for at least five years until January 2014 (some Careto samples were compiled in 2007). During the course of Kaspersky Lab’s investigations, the command-and-control (C&C) servers were shut down.
Kaspersky Lab said it counted over 380 unique victims between 1000+ IP (Internet Protocol) addresses. Infections have been observed in Algeria, Argentina, Belgium, Bolivia, Brazil, China, Colombia, Costa Rica, Cuba, Egypt, France, Germany, Gibraltar, Guatemala, Iran, Iraq, Libya, Malaysia, Mexico, Morocco, Norway, Pakistan, Poland, South Africa, Spain, Switzerland, Tunisia, Turkey, United Kingdom, United States and Venezuela.
According to Kaspersky Lab’s analysis report, The Mask campaign relies on spear-phishing e-mails with links to a malicious website. The malicious website contains a number of exploits designed to infect the visitor, depending on system configuration.
Upon successful infection, the malicious website redirects the user to the benign website referenced in the e-mail, which can be a YouTube movie or a news portal.
It's important to note the exploit websites do not automatically infect visitors; instead, the attackers host the exploits at specific folders on the website, which are not directly referenced anywhere, except in malicious e-mails.
Sometimes, the attackers use subdomains on the exploit websites, to make them seem more real. These subdomains simulate subsections of the main newspapers in Spain plus some international ones for instance, The Guardian and The Washington Post.
The malware intercepts all the communication channels and collects the most vital information from the infected system. Detection is extremely difficult because of stealth rootkit capabilities.
Careto is a highly modular system; it supports plugins and configuration files, which allow it to perform a large number of functions. In addition to built-in functionalities, the operators of Careto could upload additional modules that could perform any malicious task.
Kaspersky discovers ‘miniFlame,’ designed for highly targeted cyber-espionage
Cyber-espionage: Kaspersky hunts ‘Red October’
US spying, and casting the first stone
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.