Wednesday, February 12, 2014

'The Mask'

» Researchers uncover cyber spying campaign dubbed 'The Mask'
10/02/14 20:27 from Mike Nova's Shared Newslinks
mikenova shared this story from Puerto Rico News - Selected Feeds Review. PUNTA CANA, Dominican Republic (Reuters) - A computer security software firm has uncovered what it calls the first cyber espionage campaign believed to be started ...

'The Mask' - Google News Search 

Unveiling 'The Mask': Sophisticated malware ran rampant for 7 years

Unveiling 'The Mask': Sophisticated malware ran rampant for 7 years

A cyberespionage operation that used highly sophisticated multi-platform malware went undetected for more than five years and compromised computers belonging to hundreds of government and private organizations in more than 30 countries.
Details about the operation were revealed Monday in a paper by security researchers from antivirus firm Kaspersky Lab who believe the attack campaign could be state sponsored.
The Kaspersky researchers dubbed the whole operation “The Mask,” the English translation for the Spanish word Careto, which is what the attackers called their main backdoor program. Based on other text strings found in the malware, the researchers believe its authors are probably proficient in Spanish, which is unusual for an APT (advanced persistent threat) campaign.
“When active in a victim system, The Mask can intercept network traffic, keystrokes, Skype conversations, PGP keys, analyze WiFi traffic, fetch all information from Nokia devices, screen captures and monitor all file operations,” the Kaspersky researchers said in the research paper. “The malware collects a large list of documents from the infected system, including encryption keys, VPN configurations, SSH keys and RDP [remote desktop protocol] files. There are also several extensions being monitored that we have not been able to identify and could be related to custom military/government-level encryption tools.”

World Wide Web woes

Data found by investigating and monitoring a set of command-and-control (C&C) servers used by the attackers revealed more than 380 unique victims from 31 countries. The main targets of the operation are government institutions; embassies and other diplomatic missions; energy, oil and gas companies; research institutions; private equity firms and activists.
careto mapKASPERSKY
Careto hooks have sunk into systems worldwide, according to Kaspersky. (Click to enlarge.)
Victims were targeted using spear-phishing emails with links leading to websites that hosted exploits for Java and Adobe Flash Player, as well as malicious extensions for Mozilla Firefox and Google Chrome. The URLs used were meant to impersonate the websites of popular newspapers, many in Spanish, but also The Guardian, The Washington Post and The Independent.
Historical data collected from debug logs accessible on C&C servers showed that more than 1,000 victim IP (Internet Protocol) addresses had connected to them. The top five countries by victim IP address count were Morocco, Brazil, the U.K., Spain and France.
Kaspersky was also able to redirect the domain names for some of the C&C servers to a server under its control—an operation known as sinkholing—in order to gather statistics and collect more accurate information about the locations of current victims. The active monitoring of connections to the sinkhole server showed a different distribution by country, but Spain, France and Morocco remained in the top 5 by both IP address count and unique victim IDs.
The attackers began shutting down their command-and-control servers in January, and at this time all servers that the Kaspersky researchers knew of are offline. Even so, it’s not certain that all victims have been identified, so the paper includes technical details that organizations can use to check their networks and systems for intrusions with this threat.
Also, the possibility of attackers resurrecting the attack campaign cannot be ruled out, the researchers said in a blog post.

Advanced threat

In terms of sophistication, the Kaspersky researchers place The Mask campaign above other cyberespionage operations such as Duqu, Gauss, Red October and Icefog that the company has identified over the past few years.
“For Careto, we observed a very high degree of professionalism in the operational procedures of the group behind this attack, including monitoring of their infrastructure, shutdown of the operation, avoiding curious eyes through access rules, using wiping instead of deletion for log files and so on,” the researchers said in their paper. “This is not very common in APT operations, putting the Mask into the ‘elite’ APT groups section.”
careto codeKASPERSKY
That's why they call it Careto, or "The Mask."
The malware toolset used by the attackers includes three different backdoor programs, one of which had versions for Mac OS X and Linux in addition to Windows. Some evidence possibly indicating infections on iOS and Android devices was also found on the C&C servers, but no malware samples for those platforms was recovered.
The Careto backdoor program collects system information and can execute additional malicious code, the Kaspersky researchers said. It also injects some of its modules into browser processes—it can do so in Internet Explorer, Mozilla Firefox and Google Chrome—to communicate with command-and-control servers.
Careto was often used to install a second, more complex backdoor program called SGH that has a modular architecture and can be easily extended. This second threat contains a rootkit component and has modules for intercepting system events and file operations as well as performing a large number of surveillance functions.
SGH also attempts to exploit a vulnerability in older versions of Kaspersky antivirus products in order to evade detection, which is what attracted the researchers’ attention in the first place and prompted the investigation. However, that vulnerability was patched back in 2008 and only affects versions of Kaspersky Workstation older than 6.0.4. and Kaspersky Anti-Virus and Kaspersky Internet Security 8.0 installations that haven’t been properly updated, the researchers said.
The third backdoor program is based on an open-source project called SBD, short for Shadowinteger’s Backdoor, which is itself based on the netcat networking utility. The Kaspersky researchers found customized SBD variants for Windows, Mac OS X and Linux associated with The Mask operation, but the Linux variant was damaged and couldn’t be analyzed.

An old hand

Different variants of the backdoor programs used in The Mask over the years have been identified, the oldest of which appears to have been compiled in 2007.
Most samples were digitally signed with valid certificates issued to a company called TecSystem Ltd. from Bulgaria, but it’s not clear if this company is real. One certificate was valid between June 28, 2011 and June 28, 2013. The other was supposed to be valid from April 18, 2013 to July 18, 2016, but has since been revoked by VeriSign.
“Nation-state-level cyber-offensive operations can lurk in the dark for many years before being discovered and fully analyzed,” said Igor Soumenkov, principal security researcher at Kaspersky Lab, via email. “Sometimes, samples are detected, but the researchers lack the data to make a ‘big picture’ out of it. With Careto, we tried not just to analyze the attack against Kaspersky products, but to understand what is the big picture.”
Soumenkov believes the use of the Spanish language and the compilation date of the oldest sample suggest that state-sponsored attackers from countries other than China, Russia or the U.S. have been running cyberespionage attacks longer than previously thought.

Search Results

  1. Unveiling 'The Mask': Sophisticated malware ran rampant for 7 years

    PCWorld-by Lucian Constantin-Feb 11, 2014Share
    The Kaspersky researchers dubbed the whole operation “The Mask,” the English translation for the Spanish word Careto, which is what the ...
  2. Branson: Behind the Mask by Tom Bower – review

    The Guardian-4 hours ago
    Branson: Behind the Mask by Tom Bower – review. What are the dark secrets that lurk behind the public image of the fun-loving entrepreneur?
  3. Infographic: The Mask malware victims

    ZDNet-by Violet Blue-Feb 10, 2014
    See: Washington Post, Guardian links used to infect The Maskmalware victims. Kaspersky researchers counted over 380 unique victims ...
  4. New 'Mask' APT Campaign Called Most Sophisticated Yet

    Threatpost-Feb 10, 2014
    The attack, dubbed the Mask, or “Careto” (Spanish for “Ugly Face” or “Mask”) includes a number of unique components and functionality and ...
  5. 'The Mask' malware sets standards hackers are sure to follow

    CSO-10 hours ago
    February 11, 2014 — CSO — A recently discovered hacking group called "The Mask" has set a new standard for malware used in sophisticated attacks against ...
  6. Kaspersky Lab Outs 'The Mask' Cyber-Spy Attacks

    Sci-Tech Today-10 hours ago
    The Mask cyber-espionage campaign relies on spear-phishing e-mails with links to a malicious Web site, according to Kaspersky Lab.
  7. Spy tool dubbed 'The Mask' undetected for seven years

    South China Morning Post-14 hours ago
    Dubbed "The Mask", the campaign had operated undetected since 2007 and infected more than 380 targets before it stopped last week, ...
  8. Behind “The Mask”: Huge, sophisticated “Careto” malware discovered

    SlashGear-by Chris Davies-Feb 10, 2014
    Dubbed "The Mask" from the Spanish slang "Careto" - meaning "ugly face" or "mask" - found in the malware code, the hackers have put ...
  9. Uncovering 'The Mask', the most sophisticated malware yet?

    SiliconANGLE (blog)-by Mike Wheatley-Feb 11, 2014
    The malware, which has been dubbed “The Mask”, appears to be the work of Spanish-speaking cybercriminals. Researchers said that the word ...
  10. Cyberespionage operation 'The Mask' compromised organizations ...

    InfoWorld-by Lucian Constantin-Feb 11, 2014
    The Kaspersky researchers dubbed the whole operation "The Mask," the English translation for the Spanish word Careto, which is what the ...