Washington Post, Guardian links used to infect The Mask malware victims

Kaspersky's security research team today revealed "one of the most advanced" cyber-espionage malware threats "The Mask" (aka Careto). Victims including government institutions, private equity firms and high-profile activists are exploited.
Written by Violet Blue, Contributor
Infographic: The Mask's victims

PUNTA CANA, Dominican Republic — Kaspersky Lab security research team just released details about "The Mask" (aka Careto) cyber-espionage malware, calling it "one of the most advanced threats at the moment" at the 2014 Kaspersky Security Analyst Summit.

Researchers told attendees The Mask is an extremely sophisticated nation-state spying tool and believe it to have been in operation since 2007.

IOC information has been included in Kaspersky's detailed technical research paper.

Like Flame, another Kaspersky discovery, Careto is a uniquely powerful and refined cyber-espionage operation comprised of modular tools.

The malware's primary targets are government institutions, diplomatic offices and embassies, energy, oil and gas companies, research institutions, private equity firms and high-profile activists.

Its victims are exploited by phishing emails linking to tainted subdomains simulating subsections of the Washington Post, Guardian, and YouTube, among others.

The Mask collects a large list of documents from the infected system, including encryption keys, VPN configurations, SSH keys and RDP files.

There are also several unknown extensions being monitored that Kaspersky has not been able to identify and said "could be related to custom military/government-level encryption tools."

In their explosive presentation "A Glimpse Behind The Mask" Kaspersky Lab's Russian researchers Costin Raiu, Vitaly Kamluk and Igor Soumenkov explained that the complexity and universality of the toolset used by the attackers behind "The Mask" earns the malware a place in history.

Malicious "Guardian" and "Washington Post" links target governments and activists

According to Kaspersky Lab’s analysis report, The Mask campaign relies on email links to a malicious website, which in turn hosts a number of exploits designed to infect the visitor, depending on system configuration.

Upon successful infection the malicious website redirects the user to the benign website referenced in the e-mail, which Kaspersky has observed to typically be a YouTube movie or a news portal.

Sometimes, the attackers use subdomains on the exploit websites to make them seem more real — these subdomains simulate subsections of the main newspapers in Spain plus some international ones.

The researchers specifically named The Mask's phishing bait as "The Guardian" and "Washington Post".

Victims of this targeted attack have been found in 31 countries around the world spanning the Middle East, the UK, Europe (including Germany and Belgium), as well as Africa and the United States.

Kaspersky notes that the exploit websites do not automatically infect visitors; instead, the attackers host the exploits at specific folders on the website, which are not directly referenced anywhere except in The Mask's malicious emails.

The researchers said, "At the moment, all known Careto command and control servers are offline. The campaign was active [from 2007] until January 2014, but during our investigations the C&C servers were shut down."

The attackers began taking them offline in January 2014. We were also able to sinkhole several C&C servers, which allowed us to gather statistics on the operation.

They added, "We cannot discard that the attackers may decide to bring the campaign back again in the future."

The Mask uses a customized attack against older Kaspersky Lab products in order to hide in the system. In addition, it includes a rootkit, a bootkit, Linux/Mac versions and possibly a version for Apple iOS.

This is putting them above Duqu in terms of sophistication, making it one of the most advanced APTs at the moment.

Careto infection is "disastrous"

Careto intercepts all communication channels and collects the most vital information from the victim’s machine.

Detection is extremely difficult because of stealth rootkit capabilities, built-in functionalities and additional cyber-espionage modules.

According to the researchers, Careto is a highly modular system; it supports plugins and configuration files, which allow it to perform a large number of functions.

In addition to built-in functionalities, the operators of Careto could upload additional modules that could perform any malicious task.

At least one Adobe Flash Player exploit (CVE-2012-0773) was used among The Mask's attack vectors. (This exploit was originally discovered by VUPEN and was used in 2012 to escape the Google Chrome sandbox to win the CanSecWest Pwn2Own contest.)

The Windows backdoor is extremely sophisticated, and the attackers used a number of techniques in order to try to make the attack stealthier.

These include injection into system libraries and attempting to exploit older of Kaspersky Lab’s products to avoid detection.

Also the communication between different exploit shellcode modules is done through cookies, which is quite an unusual technique.

Culprits with "a very high degree of professionalism"

Kaspersky's researchers believe this could be a nation-state sponsored operation — and that these might be new players on the global nation-state cyber-espionage stage.

We observed a very high degree of professionalism in the operational procedures of the group behind this attack, including monitoring of their infrastructure, shutdown of the operation, avoiding curious eyes through access rules, using wiping instead of deletion for log files, etc.

This level of operational security is not normal for cyber-criminal groups.

In 2012 Kaspersky Labs uncovered Flame, a massive cyber-espionage operation infiltrating computers in the Middle East, and its research indicated a connection with the well-known Stuxnet cyber-weapon, designed to sabotage the Iranian nuclear program.

The authors appear to be native in the Spanish language which has been observed very rarely in APT (Advanced Persistent Threat) attacks, leading Kaspersky to conclude the threat actors are Spanish.

Yet Kaspersky also notes that Careto operates with an extremely sophisticated level of OPSEC (operational security), so the choice of language may simply be another layer of obfuscation.

"Some clues such as the use of the Spanish language are weak, as it is spoken in many countries, including Latin America, Mexico or United States (for instance in Miami, where a strong Spanish-speaking community exists).

We should also keep in mind the possibility of false flag attacks before making any solid assumption on the identity of who is responsible without very solid proof."

Kaspersky researchers counted over 380 unique victims among 1,000 IPs.

Kaspersky Lab’s most current products detect and remove all known versions of The Mask/Careto malware.

The Mask_APT
Editorial standards