/>
X

Join or Sign In

Register for your free ZDNet membership or if you are already a member, sign in using your preferred method below.

Use your email Use Linkedin Use Facebook

Slides from Kaspersky's 'The Mask' malware presentation

Researchers shared their discovery and research on espionage malware "The Mask" (aka Careto) at the Kaspersky Labs security summit this week. ZDNet took photos of the presentation.

|
violet-blue.jpg
|
Topic: Security
kaspersky-the-mask-careto-001-v1.jpg
1 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

PUNTA CANA, Dominican Republic -- Kaspersky’s security research team revealed "one of the most advanced" cyber-espionage malware threats “The Mask” (aka Careto) at the 2014 Security Analyst Summit this week.

ZDNet attended Kaspersky's presentaiton of "Behind the Mask" -- our photos of the presentation and its slides offer more details about the malware.

Slides of the presentation have not yet been published online.

IOC information has been included in Kaspersky's detailed technical research paper.

See: 

The malware's primary targets are government institutions, diplomatic offices and embassies, energy, oil and gas companies, research institutions, private equity firms and high-profile activists.

The researchers specifically named The Mask's phishing bait as "The Guardian" and "Washington Post" links sent in targeted emails.

The Mask collects a large list of documents from the infected system, including encryption keys, VPN configurations, SSH keys and RDP files.

There are also several unknown extensions being monitored that Kaspersky has not been able to identify and said "could be related to custom military/government-level encryption tools."

The researchers said, "At the moment, all known Careto command and control servers are offline. The campaign was active [from 2007] until January 2014, but during our investigations the C&C servers were shut down."

Kaspersky added that the malware's most active year for variants was 2012 in its official Mask FAQ, published after the presentation and announcements, at the end of conference day one.

More: Infographic: The Mask malware victims

kaspersky-the-mask-careto-002-v1.jpg
2 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

PUNTA CANA, Dominican Republic -- Kaspersky’s security research team revealed "one of the most advanced" cyber-espionage malware threats “The Mask” (aka Careto) at the 2014 Security Analyst Summit this week.

See: 

ZDNet attended Kaspersky's presentation of "Behind the Mask" -- our photos of the presentation and its slides offer more details about the malware.

Slides of the presentation have not yet been published online.

IOC information about The Mask is in Kaspersky's research paper.

The malware's primary targets are government institutions, diplomatic offices and embassies, energy, oil and gas companies, research institutions, private equity firms and high-profile activists.

The researchers specifically named The Mask's phishing bait as "The Guardian" and "Washington Post" links sent in targeted emails.

The Mask collects a large list of documents from the infected system, including encryption keys, VPN configurations, SSH keys and RDP files.

There are also several unknown extensions being monitored that Kaspersky has not been able to identify and said "could be related to custom military/government-level encryption tools."

The researchers said, "At the moment, all known Careto command and control servers are offline. The campaign was active [from 2007] until January 2014, but during our investigations the C&C servers were shut down."

Kaspersky added that the malware's most active year for variants was 2012 in its official Mask FAQ, published after the presentation and announcements, at the end of conference day one.

More: Infographic: The Mask malware victims

kaspersky-the-mask-careto-003-v1.jpg
3 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

PUNTA CANA, Dominican Republic -- Kaspersky’s security research team revealed "one of the most advanced" cyber-espionage malware threats “The Mask” (aka Careto) at the 2014 Security Analyst Summit this week.

See: 

ZDNet attended Kaspersky's presentation of "Behind the Mask" -- our photos of the presentation and its slides offer more details about the malware.

Slides of the presentation have not yet been published online.

IOC information about The Mask is in Kaspersky's research paper.

The malware's primary targets are government institutions, diplomatic offices and embassies, energy, oil and gas companies, research institutions, private equity firms and high-profile activists.

The researchers specifically named The Mask's phishing bait as "The Guardian" and "Washington Post" links sent in targeted emails.

The Mask collects a large list of documents from the infected system, including encryption keys, VPN configurations, SSH keys and RDP files.

There are also several unknown extensions being monitored that Kaspersky has not been able to identify and said "could be related to custom military/government-level encryption tools."

The researchers said, "At the moment, all known Careto command and control servers are offline. The campaign was active [from 2007] until January 2014, but during our investigations the C&C servers were shut down."

Kaspersky added that the malware's most active year for variants was 2012 in its official Mask FAQ, published after the presentation and announcements, at the end of conference day one.

More: Infographic: The Mask malware victims

kaspersky-the-mask-careto-004-v1.jpg
4 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

kaspersky-the-mask-careto-005-v1.jpg
5 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

kaspersky-the-mask-careto-006-v1.jpg
6 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

kaspersky-the-mask-careto-007-v1.jpg
7 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

kaspersky-the-mask-careto-008-v1.jpg
8 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

kaspersky-the-mask-careto-009-v1.jpg
9 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

kaspersky-the-mask-careto-010-v1.jpg
10 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

kaspersky-the-mask-careto-011-v1.jpg
11 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

kaspersky-the-mask-careto-012-v1.jpg
12 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

kaspersky-the-mask-careto-013-v1.jpg
13 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

kaspersky-the-mask-careto-014-v1.jpg
14 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

kaspersky-the-mask-careto-015-v1.jpg
15 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

kaspersky-the-mask-careto-016-v1.jpg
16 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

kaspersky-the-mask-careto-017-v1.jpg
17 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

kaspersky-the-mask-careto-018.jpg
18 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

kaspersky-the-mask-careto-019.jpg
19 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

kaspersky-the-mask-careto-020.jpg
20 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

kaspersky-the-mask-careto-021.jpg
21 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

kaspersky-the-mask-careto-022.jpg
22 of 22 Violet Blue/ZDNet

Kaspersky Labs "The Mask"

Related Galleries

First look at the YubiKey Bio
YubiKey Bio

Related Galleries

First look at the YubiKey Bio

iVerify (version 17)
iVerify for iOS and iPadOS

Related Galleries

iVerify (version 17)

OnlyKey hardware security key
OnlyKey

Related Galleries

OnlyKey hardware security key

SoloKeys Solo V2
Solo V2

Related Galleries

SoloKeys Solo V2

iVerify: Added security for iPhone and iPad users
iVerify

Related Galleries

iVerify: Added security for iPhone and iPad users

iStorage datAshur BT hardware encrypted flash drive
iStorage datAshur BT

Related Galleries

iStorage datAshur BT hardware encrypted flash drive

Netgear BR200 small-business router
Netgear BR200

Related Galleries

Netgear BR200 small-business router