Washington Post, Guardian links used to infect The Mask malware victims

Washington Post, Guardian links used to infect The Mask malware victims

Summary: Kaspersky's security research team today revealed "one of the most advanced" cyber-espionage malware threats "The Mask" (aka Careto). Victims including government institutions, private equity firms and high-profile activists are exploited.

Infographic: The Mask's victims

PUNTA CANA, Dominican Republic — Kaspersky Lab security research team just released details about "The Mask" (aka Careto) cyber-espionage malware, calling it "one of the most advanced threats at the moment" at the 2014 Kaspersky Security Analyst Summit.

Researchers told attendees The Mask is an extremely sophisticated nation-state spying tool and believe it to have been in operation since 2007.

IOC information has been included in Kaspersky's detailed technical research paper.

Like Flame, another Kaspersky discovery, Careto is a uniquely powerful and refined cyber-espionage operation comprised of modular tools.

The malware's primary targets are government institutions, diplomatic offices and embassies, energy, oil and gas companies, research institutions, private equity firms and high-profile activists.

Its victims are exploited by phishing emails linking to tainted subdomains simulating subsections of the Washington Post, Guardian, and YouTube, among others.

The Mask collects a large list of documents from the infected system, including encryption keys, VPN configurations, SSH keys and RDP files.

There are also several unknown extensions being monitored that Kaspersky has not been able to identify and said "could be related to custom military/government-level encryption tools."

In their explosive presentation "A Glimpse Behind The Mask" Kaspersky Lab's Russian researchers Costin Raiu, Vitaly Kamluk and Igor Soumenkov explained that the complexity and universality of the toolset used by the attackers behind "The Mask" earns the malware a place in history.

Malicious "Guardian" and "Washington Post" links target governments and activists

According to Kaspersky Lab’s analysis report, The Mask campaign relies on email links to a malicious website, which in turn hosts a number of exploits designed to infect the visitor, depending on system configuration.

Upon successful infection the malicious website redirects the user to the benign website referenced in the e-mail, which Kaspersky has observed to typically be a YouTube movie or a news portal.

Sometimes, the attackers use subdomains on the exploit websites to make them seem more real — these subdomains simulate subsections of the main newspapers in Spain plus some international ones.

The researchers specifically named The Mask's phishing bait as "The Guardian" and "Washington Post".

Victims of this targeted attack have been found in 31 countries around the world spanning the Middle East, the UK, Europe (including Germany and Belgium), as well as Africa and the United States.

Kaspersky notes that the exploit websites do not automatically infect visitors; instead, the attackers host the exploits at specific folders on the website, which are not directly referenced anywhere except in The Mask's malicious emails.

The researchers said, "At the moment, all known Careto command and control servers are offline. The campaign was active [from 2007] until January 2014, but during our investigations the C&C servers were shut down."

The attackers began taking them offline in January 2014. We were also able to sinkhole several C&C servers, which allowed us to gather statistics on the operation.

They added, "We cannot discard that the attackers may decide to bring the campaign back again in the future."

The Mask uses a customized attack against older Kaspersky Lab products in order to hide in the system. In addition, it includes a rootkit, a bootkit, Linux/Mac versions and possibly a version for Apple iOS.

This is putting them above Duqu in terms of sophistication, making it one of the most advanced APTs at the moment.

Careto infection is "disastrous"

Careto intercepts all communication channels and collects the most vital information from the victim’s machine.

Detection is extremely difficult because of stealth rootkit capabilities, built-in functionalities and additional cyber-espionage modules.

According to the researchers, Careto is a highly modular system; it supports plugins and configuration files, which allow it to perform a large number of functions.

In addition to built-in functionalities, the operators of Careto could upload additional modules that could perform any malicious task.

At least one Adobe Flash Player exploit (CVE-2012-0773) was used among The Mask's attack vectors. (This exploit was originally discovered by VUPEN and was used in 2012 to escape the Google Chrome sandbox to win the CanSecWest Pwn2Own contest.)

The Windows backdoor is extremely sophisticated, and the attackers used a number of techniques in order to try to make the attack stealthier.

These include injection into system libraries and attempting to exploit older of Kaspersky Lab’s products to avoid detection.

Also the communication between different exploit shellcode modules is done through cookies, which is quite an unusual technique.

Culprits with "a very high degree of professionalism"

Kaspersky's researchers believe this could be a nation-state sponsored operation — and that these might be new players on the global nation-state cyber-espionage stage.

We observed a very high degree of professionalism in the operational procedures of the group behind this attack, including monitoring of their infrastructure, shutdown of the operation, avoiding curious eyes through access rules, using wiping instead of deletion for log files, etc.

This level of operational security is not normal for cyber-criminal groups.

In 2012 Kaspersky Labs uncovered Flame, a massive cyber-espionage operation infiltrating computers in the Middle East, and its research indicated a connection with the well-known Stuxnet cyber-weapon, designed to sabotage the Iranian nuclear program.

The authors appear to be native in the Spanish language which has been observed very rarely in APT (Advanced Persistent Threat) attacks, leading Kaspersky to conclude the threat actors are Spanish.

Yet Kaspersky also notes that Careto operates with an extremely sophisticated level of OPSEC (operational security), so the choice of language may simply be another layer of obfuscation.

"Some clues such as the use of the Spanish language are weak, as it is spoken in many countries, including Latin America, Mexico or United States (for instance in Miami, where a strong Spanish-speaking community exists).

We should also keep in mind the possibility of false flag attacks before making any solid assumption on the identity of who is responsible without very solid proof."

Kaspersky researchers counted over 380 unique victims among 1,000 IPs.

Kaspersky Lab’s most current products detect and remove all known versions of The Mask/Careto malware.

The Mask_APT

Topics: Security, Government, Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Afraid to comment...

  • countries attacked can lead to evidence

    How come Morocco and Brazil have the highest infections...What's in Morocco?
    • "How come Morocco and Brazil have the highest infections...What's in Morocc

      • Another "Scary Message" to make Linux looks like Windows and Mac...

        ... while there has never been any proof that those Linux personal computers have been hacked by that malware. Are people really so stupid that they believe in theory of ignorant, naive, stupid Linux geeks of open source community seeing or hearing nothing?

        Media pundits, get a life. You should all know that this isn't a Linux problem. You are always talking about "pc security problem" when they are 99,999% just Windows problems.
        • Violet not remotely as bad as other 'journalists'

          To be fair, Violet doesnt mention Linux at all while the competitors all do so she gets a pass that other lazy journalists dont.

          Im looking around to find out more about the Linux infection and so far Ive found only this: "Kaspersky researchers found Windows and OS X samples and some indications of a Linux versions, but don’t have a Linux sample."

          But then again, this is the same crap that Kaspersky always pulls. They are like the military and poilce dependent on there being fear to make their business grow..
  • This is what I gathered from this article

    "Kaspersky notes that the exploit websites do not automatically infect visitors; instead, the attackers host the exploits at specific folders on the website, which are not directly referenced anywhere except in The Mask's malicious emails."

    I frequently visit both of these sites. It's inferred that I can't be infected from just day-to-day use of these sites.
  • more difficult does not = immune

    Just because you wrapped your pc in bubble wrap does not mean you are immune. If some major bank or department store or other worthwhile target started using 'bobo' Linux tomorrow you would be just as much a target as anyone else :-)
  • Strange

    Belgium is infected, Germany is infected and the U.K. is infected.
    But the Netherlands in the middle of those 3 country's, and basically surrounded by them, is not?
    • Netherlands

      Always look way too innocent for my liking, and obviously no one would infect their own computers so it must obviously be them behind this.
      • Internet logic at its best...

  • Careto?

    Would Careta not be more appropriate name for this nasty infection?