News Feed Item
Kaspersky Lab Uncovers “The Mask”: One of the Most Advanced Global Cyber-espionage Operations to Date Due to the Complexity of the Toolset Used by the Attackers
|By Business Wire
|February 10, 2014 03:17 PM EST
Lab’s security research team today announced
the discovery of “The Mask” (aka Careto), an advanced
Spanish-language speaking threat actor that has been involved in global
cyber-espionage operations since at least 2007. What makes The Mask
special is the complexity of the toolset used by the attackers,
including an extremely sophisticated malware, a rootkit, a bootkit, Mac
OS X and Linux versions and possibly versions for Android and iOS
The primary targets are government institutions, diplomatic offices and
embassies, energy, oil and gas companies, research organizations and
activists. Victims of this targeted attack have been found in 31
countries around the world – from the Middle East and Europe to Africa
and the Americas.
The main objective of the attackers is to gather sensitive data from the
infected systems. These include office documents, but also various
encryption keys, VPN configurations, SSH keys (serving as a means of
identifying a user to an SSH server) and RDP files (used by the Remote
Desktop Client to automatically open a connection to the reserved
Kaspersky Lab researchers initially became aware of Careto last year
when they observed attempts to exploit a vulnerability in the company’s
products which was fixed five years ago. The exploit provided the
malware the capability to avoid detection. Of course, this situation
raised their interest and this is how the investigation started.
For the victims, an infection with Careto can be disastrous. Careto
intercepts all communication channels and collects the most vital
information from the victim’s machine. Detection is extremely difficult
because of stealth rootkit capabilities, built-in functionalities and
additional cyber-espionage modules.
The authors appear to be native in the Spanish language which has been
observed very rarely in APT attacks.
The campaign was active for at least five years until January 2014
(some Careto samples were compiled in 2007). During the course of
Kaspersky Lab’s investigations, the command-and-control (C&C) servers
were shut down.
We counted over 380 unique victims between 1000+ IPs. Infections have
been observed in: Algeria, Argentina, Belgium, Bolivia, Brazil, China,
Colombia, Costa Rica, Cuba, Egypt, France, Germany, Gibraltar,
Guatemala, Iran, Iraq, Libya, Malaysia, Mexico, Morocco, Norway,
Pakistan, Poland, South Africa, Spain, Switzerland, Tunisia, Turkey,
United Kingdom, United States and Venezuela.
The complexity and universality of the toolset used by the attackers
makes this cyber-espionage operation very special. This includes
leveraging high-end exploits, an extremely sophisticated piece of
malware, a rootkit, a bootkit, Mac OS X and Linux versions and
possibly versions for Android and iPad/iPhone (iOS). The Mask also
used a customized attack against Kaspersky Lab’s products.
Among the attack’s vectors, at least one Adobe Flash Player exploit
(CVE-2012-0773) was used. It was designed for Flash Player versions
prior to 10.3 and 11.2. This exploit was originally discovered by
VUPEN and was used in 2012 to escape the Google Chrome sandbox to win
the CanSecWest Pwn2Own contest.
Infection Methods & Functionality
According to Kaspersky Lab’s analysis report, The Mask campaign
relies on spear-phishing e-mails with links to a malicious website. The
malicious website contains a number of exploits designed to infect the
visitor, depending on system configuration. Upon successful infection,
the malicious website redirects the user to the benign website
referenced in the e-mail, which can be a YouTube movie or a news portal.
It's important to note the exploit websites do not automatically infect
visitors; instead, the attackers host the exploits at specific folders
on the website, which are not directly referenced anywhere, except in
malicious e-mails. Sometimes, the attackers use subdomains on the
exploit websites, to make them seem more real. These subdomains simulate
subsections of the main newspapers in Spain plus some international ones
for instance, "The Guardian" and "Washington Post".
The malware intercepts all the communication channels and collects the
most vital information from the infected system. Detection is extremely
difficult because of stealth rootkit capabilities. Careto is a highly
modular system; it supports plugins and configuration files, which allow
it to perform a large number of functions. In addition to built-in
functionalities, the operators of Careto could upload additional modules
that could perform any malicious task.
Kaspersky Lab’s products detect and remove all known versions of The
Costin Raiu, Director of the Global Research and
Analysis Team (GReAT)
reasons make us believe this could be a nation-state sponsored campaign.
First of all, we observed a very high degree of professionalism in the
operational procedures of the group behind this attack. From
infrastructure management, shutdown of the operation, avoiding curious
eyes through access rules and using wiping instead of deletion of log
files. These combine to put this APT ahead of Duqu
in terms of sophistication, making it one of the most advanced threats
at the moment,” said Costin Raiu, Director of the Global Research and
Analysis Team (GReAT) at Kaspersky Lab. “This level of operational
security is not normal for cyber-criminal groups.”
To read the
full report with a detailed description of the malicious tools and
stats, together with indicators of compromise, see Securelist. A
complete FAQ is also available
About Kaspersky Lab
Kaspersky Lab is the world’s largest privately held vendor of endpoint
protection solutions. The company is ranked among the world’s top four
vendors of security solutions for endpoint users*. Throughout its more
than 16-year history Kaspersky Lab has remained an innovator in IT
security and provides effective digital security solutions for large
enterprises, SMBs and consumers. Kaspersky Lab, with its holding company
registered in the United Kingdom, currently operates in almost 200
countries and territories across the globe, providing protection for
over 300 million users worldwide. Learn more at www.kaspersky.com.
| Information about Viruses, Hackers and Spam
Follow @Securelist on
| The First Stop for Security News
Follow @Threatpost on
* The company was rated fourth in the IDC rating Worldwide Endpoint
Security Revenue by Vendor, 2012. The rating was published in the IDC
report "Worldwide Endpoint Security 2013–2017 Forecast and 2012 Vendor
Shares (IDC #242618, August 2013). The report ranked software vendors
according to earnings from sales of endpoint security solutions in 2012.
Why do your mobile transformations need to happen today? Mobile is the strategy that enterprise transformation centers on to drive customer engagement.
In his general session at @ThingsExpo, Roger Woods, Director, Mobile Product & Strategy – Adobe Marketing Cloud, covered key IoT and mobile trends that are forcing mobile transformation, key components of a solid mobile strategy and explored how brands are effectively driving mobile change throughout the enterprise.
Aug. 30, 2016 11:15 AM EDT Reads: 549
SYS-CON Events announced today that Adobe has been named “Bronze Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2016, at the Javits Center in New York, New York.
Adobe is changing the world though digital experiences. Adobe helps customers develop and deliver high-impact experiences that differentiate brands, build loyalty, and drive revenue across every screen, including smartphones, computers, tablets and TVs. Adobe content solutions are used daily by millions of co...
Aug. 30, 2016 11:00 AM EDT Reads: 3,659
Almost two-thirds of companies either have or soon will have IoT as the backbone of their business in 2016. However, IoT is far more complex than most firms expected. How can you not get trapped in the pitfalls?
In his session at @ThingsExpo, Tony Shan, a renowned visionary and thought leader, will introduce a holistic method of IoTification, which is the process of IoTifying the existing technology and business models to adopt and leverage IoT. He will drill down to the components in this fra...
Aug. 30, 2016 10:30 AM EDT Reads: 377
As the world moves toward more DevOps and Microservices, application deployment to the cloud ought to become a lot simpler. The Microservices architecture, which is the basis of many new age distributed systems such as OpenStack, NetFlix and so on, is at the heart of Cloud Foundry - a complete developer-oriented Platform as a Service (PaaS) that is IaaS agnostic and supports vCloud, OpenStack and AWS. Serverless computing is revolutionizing computing.
In his session at 19th Cloud Expo, Raghav...
Aug. 30, 2016 09:45 AM EDT Reads: 1,047
SYS-CON Events announced today that eCube Systems, a leading provider of middleware modernization, integration, and management solutions, will exhibit at @DevOpsSummit at 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
eCube Systems offers a family of middleware evolution products and services that maximize return on technology investment by leveraging existing technical equity to meet evolving business needs. ...
Aug. 30, 2016 09:45 AM EDT Reads: 876
Data is an unusual currency; it is not restricted by the same transactional limitations as money or people. In fact, the more that you leverage your data across multiple business use cases, the more valuable it becomes to the organization. And the same can be said about the organization’s analytics.
In his session at 19th Cloud Expo, Bill Schmarzo, CTO for the Big Data Practice at EMC, will introduce a methodology for capturing, enriching and sharing data (and analytics) across the organizati...
Aug. 30, 2016 09:08 AM EDT Reads: 203
Enterprises have forever faced challenges surrounding the sharing of their intellectual property. Emerging cloud adoption has made it more compelling for enterprises to digitize their content, making them available over a wide variety of devices across the Internet.
In his session at 19th Cloud Expo, Santosh Ahuja, Director of Architecture at Impiger Technologies, will introduce various mechanisms provided by cloud service providers today to manage and share digital content in a secure manner....
Aug. 30, 2016 08:45 AM EDT Reads: 907
SYS-CON Events announced today that Isomorphic Software will exhibit at DevOps Summit at 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Isomorphic Software provides the SmartClient HTML5/AJAX platform, the most advanced technology for building rich, cutting-edge enterprise web applications for desktop and mobile. SmartClient combines the productivity and performance of traditional desktop software with the simp...
Aug. 30, 2016 05:45 AM EDT Reads: 2,469
With so much going on in this space you could be forgiven for thinking you were always working with yesterday’s technologies. So much change, so quickly. What do you do if you have to build a solution from the ground up that is expected to live in the field for at least 5-10 years?
This is the challenge we faced when we looked to refresh our existing 10-year-old custom hardware stack to measure the fullness of trash cans and compactors.
Aug. 30, 2016 02:30 AM EDT Reads: 1,861
The emerging Internet of Everything creates tremendous new opportunities for customer engagement and business model innovation. However, enterprises must overcome a number of critical challenges to bring these new solutions to market.
In his session at @ThingsExpo, Michael Martin, CTO/CIO at nfrastructure, outlined these key challenges and recommended approaches for overcoming them to achieve speed and agility in the design, development and implementation of Internet of Everything solutions wi...
Aug. 30, 2016 02:00 AM EDT Reads: 2,248
Cloud computing is being adopted in one form or another by 94% of enterprises today. Tens of billions of new devices are being connected to The Internet of Things.
And Big Data is driving this bus. An exponential increase is expected in the amount of information being processed, managed, analyzed, and acted upon by enterprise IT. This amazing is not part of some distant future - it is happening today. One report shows a 650% increase in enterprise data by 2020. Other estimates are even higher....
Aug. 30, 2016 01:30 AM EDT Reads: 3,053
With over 720 million Internet users and 40–50% CAGR, the Chinese Cloud Computing market has been booming. When talking about cloud computing, what are the Chinese users of cloud thinking about? What is the most powerful force that can push them to make the buying decision? How to tap into them?
In his session at 18th Cloud Expo, Yu Hao, CEO and co-founder of SpeedyCloud, answered these questions and discussed the results of SpeedyCloud’s survey.
Aug. 30, 2016 01:15 AM EDT Reads: 2,362
Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more business becomes digital the more stakeholders are interested in this data including how it relates to business. Some of these people have never used a monitoring tool before. They have a question on their mind like “How is my application doing” but no id...
Aug. 30, 2016 01:00 AM EDT Reads: 1,943
Smart Cities are here to stay, but for their promise to be delivered, the data they produce must not be put in new siloes.
In his session at @ThingsExpo, Mathias Herberts, Co-founder and CTO of Cityzen Data, will deep dive into best practices that will ensure a successful smart city journey.
Aug. 30, 2016 12:00 AM EDT Reads: 1,678
DevOps at Cloud Expo, taking place Nov 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 19th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world.
The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long dev...
Aug. 29, 2016 10:00 PM EDT Reads: 2,497