Kaspersky Lab’s security research team have uncovered "The Mask" (aka Careto) a highly sophisticated cyber spying operation that has been alive since at least 2007 infecting more than 380 high-profile targets in 31 countries after investigating and monitoring data found on a set of command-and-control (C&C) servers used by the attackers. The main targets of the
operation are government institutions; embassies and other diplomatic
missions; energy, oil and gas companies; research institutions; private
equity firms and activists.
Researchers
dubbed the whole operation “The Mask,” the English translation for the
Spanish word Careto, which is what the attackers called their main
backdoor program. Based on other text strings found in the malware, the
researchers believe its authors are probably proficient in Spanish.
Kaspersky's researchers believe this could be a nation-state sponsored operation as the level of operational security is not normal for cyber-criminal groups and might be new players on the global nation-state cyber-espionage stage.
When active in a victim
system, The Mask can intercept network traffic, keystrokes, Skype
conversations, PGP keys, analyze WiFi traffic, screen captures and monitor all file operations, collecting a large list of
documents from the infected system, including encryption keys, VPN
configurations, SSH keys and RDP (remote desktop protocol) files.They also found several
extensions which have not been able to identify and
could be related to custom military/government-level encryption tools.
Infections have been observed in: Algeria, Argentina, Belgium, Bolivia,
Brazil, China, Colombia, Costa Rica, Cuba, Egypt, France, Germany,
Gibraltar, Guatemala, Iran, Iraq, Libya, Malaysia, Mexico, Morocco,
Norway, Pakistan, Poland, South Africa, Spain, Switzerland, Tunisia,
Turkey, United Kingdom, United States and Venezuela.
Victims were targeted
using spear-phishing emails with links leading to websites that hosted
exploits for Java and Adobe Flash Player, as well as malicious
extensions for Mozilla Firefox and Google Chrome.These malicious links seemed to point to news websites, most of them Spanish dailies like El Mundo and El Pais. But they also included fake links to The Guardian, The Washington Post and Time.
The Mask Malware was designed to infect the 32- and 64-bit Windows versions, Mac OS X and Linux versions, but researchers believe that possibly there may be more versions for Android and iPhones (Apple iOS) platforms.
Researchers said,"This is not very common in APT [Advanced Persistent Threat] operations, putting the Mask into the ‘elite’ APT[Advanced Persistent Threat] groups section"because they observed a very high degree of professionalism in the operational
procedures of the group behind this attack, including monitoring of
their infrastructure, shutdown of the operation, avoiding curious eyes
through access rules, using wiping instead of deletion for log files,
etc.
 |
| This is why they call it Careto, or "The Mask." |
It
includes the most sophisticated backdoor SGH, which is designed to
perform a large surveillance function and another backdoor called SBD (Shadowinteger's Backdoor) which uses open source tools like netcat is included in the malware.
The careto module used two layers of
encryption both RSA and AES for its communication with the
attackers’ command-and-control servers, preventing anyone who got
physical access to the servers from reading the communication.
Kaspersky discovered the operation last year when the attackers
attempted to exploit a five-year-old vulnerability in a previous
generation of Kaspersky’s security software that had long-ago been
patched and on investigation of
this malware, CC servers were found down, which shows that attacker
group was monitoring all aspects related to the malware activity. Since
there are no identified patterns in these attacks and who is behind
these activities is yet a matter of investigation for the researchers.
