'The Mask', A Sophisticated cyber spying operation that has been under the mask for about 7 years.

Kaspersky Lab’s security research team have uncovered "The Mask" (aka Careto) a highly sophisticated cyber spying operation that has been alive since at least 2007 infecting more than 380 high-profile targets in 31 countries after investigating and monitoring data found on a set of command-and-control (C&C) servers used by the attackers. The main targets of the operation are government institutions; embassies and other diplomatic missions; energy, oil and gas companies; research institutions; private equity firms and activists.

Researchers dubbed the whole operation “The Mask,” the English translation for the Spanish word Careto, which is what the attackers called their main backdoor program. Based on other text strings found in the malware, the researchers believe its authors are probably proficient in Spanish.
Kaspersky's researchers believe this could be a nation-state sponsored operation as the level of operational security is not normal for cyber-criminal groups and might be new players on the global nation-state cyber-espionage stage.
When active in a victim system, The Mask can intercept network traffic, keystrokes, Skype conversations, PGP keys, analyze WiFi traffic, screen captures and monitor all file operations, collecting a large list of documents from the infected system, including encryption keys, VPN configurations, SSH keys and RDP (remote desktop protocol) files.They also found several extensions which have not been able to identify and could be related to custom military/government-level encryption tools.

 Infections have been observed in: Algeria, Argentina, Belgium, Bolivia, Brazil, China, Colombia, Costa Rica, Cuba, Egypt, France, Germany, Gibraltar, Guatemala, Iran, Iraq, Libya, Malaysia, Mexico, Morocco, Norway, Pakistan, Poland, South Africa, Spain, Switzerland, Tunisia, Turkey, United Kingdom, United States and Venezuela.

Victims were targeted using spear-phishing emails with links leading to websites that hosted exploits for Java and Adobe Flash Player, as well as malicious extensions for Mozilla Firefox and Google Chrome.These malicious links seemed to point to news websites, most of them Spanish dailies like El Mundo and El Pais. But they also included fake links to The Guardian, The Washington Post and Time.

The Mask Malware was designed to infect the 32- and 64-bit Windows versions, Mac OS X and Linux versions, but researchers believe that possibly there may be more versions for Android and iPhones (Apple iOS) platforms.

Researchers said,"This is not very common in APT [Advanced Persistent Threat] operations, putting the Mask into the ‘elite’ APT[Advanced Persistent Threat] groups section"because they observed a very high degree of professionalism in the operational procedures of the group behind this attack, including monitoring of their infrastructure, shutdown of the operation, avoiding curious eyes through access rules, using wiping instead of deletion for log files, etc.

This is why they call it Careto, or "The Mask."

It includes the most sophisticated backdoor SGH, which is designed to perform a large surveillance function and another backdoor called SBD (Shadowinteger's Backdoor) which uses open source tools like netcat is included in the malware. 

The careto module used two layers of encryption both RSA and AES for its communication with the attackers’ command-and-control servers, preventing anyone who got physical access to the servers from reading the communication.

Kaspersky discovered the operation last year when the attackers attempted to exploit a five-year-old vulnerability in a previous generation of Kaspersky’s security software that had long-ago been patched and on investigation of this malware, CC servers were found down, which shows that attacker group was monitoring all aspects related to the malware activity. Since there are no identified patterns in these attacks and who is behind these activities is yet a matter of investigation for the researchers.