/>
X

Slides from Kaspersky's 'The Mask' malware presentation

Researchers shared their discovery and research on espionage malware "The Mask" (aka Careto) at the Kaspersky Labs security summit this week. ZDNet took photos of the presentation.
violet-blue.jpg
By Violet Blue, Contributor on
kaspersky-the-mask-careto-001-v1.jpg
1 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

PUNTA CANA, Dominican Republic -- Kaspersky’s security research team revealed "one of the most advanced" cyber-espionage malware threats “The Mask” (aka Careto) at the 2014 Security Analyst Summit this week.

ZDNet attended Kaspersky's presentaiton of "Behind the Mask" -- our photos of the presentation and its slides offer more details about the malware.

Slides of the presentation have not yet been published online.

IOC information has been included in Kaspersky's detailed technical research paper.

See: Washington Post, Guardian links used to infect The Mask malware victims

The malware's primary targets are government institutions, diplomatic offices and embassies, energy, oil and gas companies, research institutions, private equity firms and high-profile activists.

The researchers specifically named The Mask's phishing bait as "The Guardian" and "Washington Post" links sent in targeted emails.

The Mask collects a large list of documents from the infected system, including encryption keys, VPN configurations, SSH keys and RDP files.

There are also several unknown extensions being monitored that Kaspersky has not been able to identify and said "could be related to custom military/government-level encryption tools."

The researchers said, "At the moment, all known Careto command and control servers are offline. The campaign was active [from 2007] until January 2014, but during our investigations the C&C servers were shut down."

Kaspersky added that the malware's most active year for variants was 2012 in its official Mask FAQ, published after the presentation and announcements, at the end of conference day one.

More: Infographic: The Mask malware victims

kaspersky-the-mask-careto-002-v1.jpg
2 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

PUNTA CANA, Dominican Republic -- Kaspersky’s security research team revealed "one of the most advanced" cyber-espionage malware threats “The Mask” (aka Careto) at the 2014 Security Analyst Summit this week.

See: Washington Post, Guardian links used to infect The Mask malware victims

ZDNet attended Kaspersky's presentation of "Behind the Mask" -- our photos of the presentation and its slides offer more details about the malware.

Slides of the presentation have not yet been published online.

IOC information about The Mask is in Kaspersky's research paper.

The malware's primary targets are government institutions, diplomatic offices and embassies, energy, oil and gas companies, research institutions, private equity firms and high-profile activists.

The researchers specifically named The Mask's phishing bait as "The Guardian" and "Washington Post" links sent in targeted emails.

The Mask collects a large list of documents from the infected system, including encryption keys, VPN configurations, SSH keys and RDP files.

There are also several unknown extensions being monitored that Kaspersky has not been able to identify and said "could be related to custom military/government-level encryption tools."

The researchers said, "At the moment, all known Careto command and control servers are offline. The campaign was active [from 2007] until January 2014, but during our investigations the C&C servers were shut down."

Kaspersky added that the malware's most active year for variants was 2012 in its official Mask FAQ, published after the presentation and announcements, at the end of conference day one.

More: Infographic: The Mask malware victims

kaspersky-the-mask-careto-003-v1.jpg
3 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

PUNTA CANA, Dominican Republic -- Kaspersky’s security research team revealed "one of the most advanced" cyber-espionage malware threats “The Mask” (aka Careto) at the 2014 Security Analyst Summit this week.

See: Washington Post, Guardian links used to infect The Mask malware victims

ZDNet attended Kaspersky's presentation of "Behind the Mask" -- our photos of the presentation and its slides offer more details about the malware.

Slides of the presentation have not yet been published online.

IOC information about The Mask is in Kaspersky's research paper.

The malware's primary targets are government institutions, diplomatic offices and embassies, energy, oil and gas companies, research institutions, private equity firms and high-profile activists.

The researchers specifically named The Mask's phishing bait as "The Guardian" and "Washington Post" links sent in targeted emails.

The Mask collects a large list of documents from the infected system, including encryption keys, VPN configurations, SSH keys and RDP files.

There are also several unknown extensions being monitored that Kaspersky has not been able to identify and said "could be related to custom military/government-level encryption tools."

The researchers said, "At the moment, all known Careto command and control servers are offline. The campaign was active [from 2007] until January 2014, but during our investigations the C&C servers were shut down."

Kaspersky added that the malware's most active year for variants was 2012 in its official Mask FAQ, published after the presentation and announcements, at the end of conference day one.

More: Infographic: The Mask malware victims

kaspersky-the-mask-careto-004-v1.jpg
4 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

kaspersky-the-mask-careto-005-v1.jpg
5 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

kaspersky-the-mask-careto-006-v1.jpg
6 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

kaspersky-the-mask-careto-007-v1.jpg
7 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

kaspersky-the-mask-careto-008-v1.jpg
8 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

kaspersky-the-mask-careto-009-v1.jpg
9 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

kaspersky-the-mask-careto-010-v1.jpg
10 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

kaspersky-the-mask-careto-011-v1.jpg
11 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

kaspersky-the-mask-careto-012-v1.jpg
12 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

kaspersky-the-mask-careto-013-v1.jpg
13 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

kaspersky-the-mask-careto-014-v1.jpg
14 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

kaspersky-the-mask-careto-015-v1.jpg
15 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

kaspersky-the-mask-careto-016-v1.jpg
16 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

kaspersky-the-mask-careto-017-v1.jpg
17 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

kaspersky-the-mask-careto-018.jpg
18 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

kaspersky-the-mask-careto-019.jpg
19 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

kaspersky-the-mask-careto-020.jpg
20 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

kaspersky-the-mask-careto-021.jpg
21 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

kaspersky-the-mask-careto-022.jpg
22 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

Related Galleries

Cybersecurity flaws, customer experiences, smartphone losses, and more: ZDNet's research roundup
shutterstock-1024665187.jpg

Related Galleries

Cybersecurity flaws, customer experiences, smartphone losses, and more: ZDNet's research roundup

8 Photos
Inside a fake $20 '16TB external M.2 SSD'
Full of promises!

Related Galleries

Inside a fake $20 '16TB external M.2 SSD'

8 Photos
Hybrid working, touchscreen MacBook hopes, cybersecurity concerns, and more: ZDNet's tech research roundup
Asian woman working at a desk in front of a computer and calculator

Related Galleries

Hybrid working, touchscreen MacBook hopes, cybersecurity concerns, and more: ZDNet's tech research roundup

8 Photos
Developer trends, zero-day risks, 5G speeds, and more: Tech research roundup
Person seated at a booth in a cafe looks at their phone and laptop.

Related Galleries

Developer trends, zero-day risks, 5G speeds, and more: Tech research roundup

10 Photos
Drive Electric Day: A dizzying array of EVs in sunny Florida
ca3b4019-26c5-4ce0-a844-5aac39e2c34b.jpg

Related Galleries

Drive Electric Day: A dizzying array of EVs in sunny Florida

16 Photos
Incipio, Kate Spade, and Coach cases for Samsung Galaxy S22 Ultra: hands-on
s22-ultra-incipio-coach-cases-2.jpg

Related Galleries

Incipio, Kate Spade, and Coach cases for Samsung Galaxy S22 Ultra: hands-on

15 Photos
Casetify Impact Crush Galaxy S22 Ultra case hands-on: in pictures
casetify-s22-ultra-3.jpg

Related Galleries

Casetify Impact Crush Galaxy S22 Ultra case hands-on: in pictures

10 Photos