The Mask, a highly advanced global cyber threat discovered
By Robin-Leigh Chetty 11 February 2014 | Categories: newsKaspersky Lab believes it has discovered one of the most sophisticated, intelligent and highly coordinated global cyber threats of the last decade. The malware based virus, referred to as The Mask or Careto, is a Spanish-language based cyber spying operating since 2007.
The virus’ primary targets have been high-level entities such as government institutions, diplomatic offices, energy and natural resource companies, as well as research organisations and activists, with four recognised infection attempts also detected in South Africa.
The unique characteristic of The Mask is its high level of complexity, said to consist of “an extremely sophisticated malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iOS”.
For the victims, an infection with Careto can be disastrous. Careto intercepts all communication channels and collects the most vital information from the victim’s machine. Detection is extremely difficult because of the stealth its rootkit capabilities, built-in functionalities, and additional cyber-espionage modules.
Key Discoveries
- The authors appear to be native in the Spanish language which has been observed very rarely in APT (Advanced Persistent Threat) attacks.
- The campaign was active for at least five years until January 2014 (some Careto samples were compiled in 2007). During the course of Kaspersky Lab’s investigations, the command-and-control (C&C) servers were shut down.
- Kaspersky counted over 380 unique victims between 1000+ IPs. Infections have been observed in: Algeria, Argentina, Belgium, Bolivia, Brazil, China, Colombia, Costa Rica, Cuba, Egypt, France, Germany, Gibraltar, Guatemala, Iran, Iraq, Libya, Malaysia, Mexico, Morocco, Norway, Pakistan, Poland, South Africa, Spain, Switzerland, Tunisia, Turkey, United Kingdom, United States and Venezuela.
Infection Methods and Methodology
According to Kaspersky Lab’s 65 page analysis report, The Mask campaign relies on spear-phishing e-mails with links to a ‘malicious’ website. The malicious website contains a number of exploits designed to infect the visitor, depending on system configuration. Upon successful infection, the malicious website redirects the user to the benign website referenced in the e-mail, which can be a YouTube movie or a news portal.
Kaspersky Labs notes that the exploit websites do not automatically infect visitors. Instead, the attackers host the exploits at specific folders on the website, which are not directly referenced anywhere, except in malicious e-mails. Sometimes, the attackers use subdomains on the exploit websites, to make them seem more real. These subdomains simulate subsections of the main newspapers in Spain plus some international ones for instance, the Guardian and The Washington Post.
The anti-virus company believes its antivirus products are capable of detecting and removing all known versions of this cyber spying threat. Kaspersky have also created an informative infographic detailing the location and frequency of Careto attacks.
Most Read Articles
Have Your Say
What new tech or developments are you most anticipating this year?