PUNTA CANA, Dominican Republic -- Kaspersky’s security research team today revealed "one of the most advanced" cyber-espionage malware threats “The Mask” (aka Careto).
The researchers told 2014 Security Analyst Summit attendees they believe The Mask to have been in operation since 2007 and to be an extremely sophisticated nation-state spying tool.
Kaspersky researchers counted over 380 unique victims between 1,000 IP's.
Infections have been observed in: Algeria, Argentina, Belgium, Bolivia, Brazil, China, Colombia, Costa Rica, Cuba, Egypt, France, Germany, Gibraltar, Guatemala, Iran, Iraq, Libya, Malaysia, Mexico, Morocco, Norway, Pakistan, Poland, South Africa, Spain, Switzerland, Tunisia, Turkey, United Kingdom, United States and Venezuela.
The full list of targeted files includes:
The detection names to look for are Trojan.Win32/Win64.Careto.* and Trojan.OSX.Careto. IOC information has been included in Kaspersky's detailed technical research paper.
The malware's primary targets are government institutions, diplomatic offices and embassies, energy, oil and gas companies, research institutions, private equity firms and high-profile activists.
The researchers specifically named The Mask's phishing bait as "The Guardian" and "Washington Post" links sent in targeted emails.
Victims of this targeted attack have been found in 31 countries around the world spanning the Middle East, the UK, Europe (including Germany and Belgium), as well as Africa and the United States.
The Mask collects a large list of documents from the infected system, including encryption keys, VPN configurations, SSH keys and RDP files.
There are also several unknown extensions being monitored that Kaspersky has not been able to identify and said "could be related to custom military/government-level encryption tools."
The researchers said, "At the moment, all known Careto command and control servers are offline. The campaign was active [from 2007] until January 2014, but during our investigations the C&C servers were shut down."