Slides from Kaspersky's 'The Mask' malware presentation

Slides from Kaspersky's 'The Mask' malware presentation

Summary: Researchers shared their discovery and research on espionage malware "The Mask" (aka Careto) at the Kaspersky Labs security summit this week. ZDNet took photos of the presentation.

SHARE:

 |  Image 1 of 22

  • Thumbnail 1
  • Thumbnail 2
  • Thumbnail 3
  • Thumbnail 4
  • Thumbnail 5
  • Thumbnail 6
  • Thumbnail 7
  • Thumbnail 8
  • Thumbnail 9
  • Thumbnail 10
  • Thumbnail 11
  • Thumbnail 12
  • Thumbnail 13
  • Thumbnail 14
  • Thumbnail 15
  • Thumbnail 16
  • Thumbnail 17
  • Thumbnail 18
  • Thumbnail 19
  • Thumbnail 20
  • Thumbnail 21
  • Thumbnail 22
  • Kaspersky Labs "The Mask"

    PUNTA CANA, Dominican Republic -- Kaspersky’s security research team revealed "one of the most advanced" cyber-espionage malware threats “The Mask” (aka Careto) at the 2014 Security Analyst Summit this week.

    ZDNet attended Kaspersky's presentaiton of "Behind the Mask" -- our photos of the presentation and its slides offer more details about the malware.

    Slides of the presentation have not yet been published online.

    IOC information has been included in Kaspersky's detailed technical research paper.

    See: Washington Post, Guardian links used to infect The Mask malware victims

    The malware's primary targets are government institutions, diplomatic offices and embassies, energy, oil and gas companies, research institutions, private equity firms and high-profile activists.

    The researchers specifically named The Mask's phishing bait as "The Guardian" and "Washington Post" links sent in targeted emails.

    The Mask collects a large list of documents from the infected system, including encryption keys, VPN configurations, SSH keys and RDP files.

    There are also several unknown extensions being monitored that Kaspersky has not been able to identify and said "could be related to custom military/government-level encryption tools."

    The researchers said, "At the moment, all known Careto command and control servers are offline. The campaign was active [from 2007] until January 2014, but during our investigations the C&C servers were shut down."

    Kaspersky added that the malware's most active year for variants was 2012 in its official Mask FAQ, published after the presentation and announcements, at the end of conference day one.

    More: Infographic: The Mask malware victims

  • Kaspersky Labs "The Mask"

    PUNTA CANA, Dominican Republic -- Kaspersky’s security research team revealed "one of the most advanced" cyber-espionage malware threats “The Mask” (aka Careto) at the 2014 Security Analyst Summit this week.

    See: Washington Post, Guardian links used to infect The Mask malware victims

    ZDNet attended Kaspersky's presentation of "Behind the Mask" -- our photos of the presentation and its slides offer more details about the malware.

    Slides of the presentation have not yet been published online.

    IOC information about The Mask is in Kaspersky's research paper.

    The malware's primary targets are government institutions, diplomatic offices and embassies, energy, oil and gas companies, research institutions, private equity firms and high-profile activists.

    The researchers specifically named The Mask's phishing bait as "The Guardian" and "Washington Post" links sent in targeted emails.

    The Mask collects a large list of documents from the infected system, including encryption keys, VPN configurations, SSH keys and RDP files.

    There are also several unknown extensions being monitored that Kaspersky has not been able to identify and said "could be related to custom military/government-level encryption tools."

    The researchers said, "At the moment, all known Careto command and control servers are offline. The campaign was active [from 2007] until January 2014, but during our investigations the C&C servers were shut down."

    Kaspersky added that the malware's most active year for variants was 2012 in its official Mask FAQ, published after the presentation and announcements, at the end of conference day one.

    More: Infographic: The Mask malware victims

Topics: Security, Government, Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • No one is safe from this...

    This is pretty scary...
    pethers
    • True!

      I have at least one client who I'm positive was a victim of this or similar attack. There was just no way to reacquire control of the PC. We pulled out all stops and tried everything in the book, that is known to me. We finally just had to take it offline and set it aside. The FBI isn't interested, so maybe Kaspersky would! I think we'd have to send the whole machine, as I suspect some hardware DRM schemes put in by MPAA requirements around 2008 are probably suspect too. Who is to say, some bad actor didn't take over the DRM software/hardware scheme that was implemented at that time? Or maybe THEY were the one implementing it?

      SONY anyone?
      JCitizen