Your Source for Leaks Around the World!

Careto aka The Mask: “Grandmaster” Cyber Espionage Operation Discovered After 7 Years in the Wild

In Archive, Hacking, Internet, Kaspersky, Malware on February 13, 2014 at 2:45 AM

“If APT attackers are like chess players, Mask is the grandmaster” – Costin Raiu


Kaspersky/Kim Zetter/WIRED/Dennis Fisher/ThreatPost/LastWatchdog/Timothy B. Lee/WashingtonPost:

Researchers have uncovered a sophisticated cyber spying operation that has been alive since at least 2007 and uses techniques and code that surpass any nation-state spyware previously spotted in the wild.

The attack, dubbed Careto, or “The Mask” by the researchers at Kaspersky Lab in Russia who discovered it, targeted government agencies and diplomatic offices and embassies, before it was dismantled last month. It also targeted companies in the oil, gas and energy industries, private equity firms, as well as research organizations and activists. They’ve successfully hacked organizations in 31 nations in the Middle East, Europe, Africa and the Americas. Kaspersky uncovered at least 380 victims, with the majority of the targets in Morocco and Brazil.

The attack — possibly from a Spanish-speaking country — used sophisticated malware, rootkit methods and a bootkit to hide and maintain persistence on infected machines.

Once Careto has compromised a system, it begins collecting sensitive information from it. The software can “intercept network traffic, keystrokes, Skype conversations, analyse WiFi traffic, PGP keys, fetch all information from Nokia devices, screen captures and monitor all file operations.”

The attackers sought not only to steal documents, but to steal encryption keys, data about a target’s VPN configurations, Adobe signing keys, and wiping and deleting other data on targeted machines.

The Mask also went after files with extensions that Kaspersky has not been able to identify yet. The Kaspersky researchers believe the extensions may be used by custom government programs, possibly for encryption.

“They are absolutely an elite APT [Advanced Persistent Threat] group; they are one of the best that I have seen,” Costin Raiu, director of Kaspersky’s Global Research and Analysis Team said at a conference here today. “Previously in my opinion the best APT group was the one behind Flame . . . these guys are better. The speed and professionalism is beyond . . . anything else that we’ve seen so far.”

Kaspersky found evidence that the attackers may be native Spanish speakers. The attack uses three backdoors, one of which the attackers named Careto, which means Mask in Spanish. Raiu said it’s the first APT malware they’ve seen with Spanish language snippets; usually, it’s Chinese.

Raiu was circumspect about what nation might be involved, noting that there are 21 Spanish speaking nations. “It could be any one of them,” he says. Careto’s controllers have gone through pains to remain undetected, unlike the Chinese hacking group known as APT1, which has been widely tracked  for several years.

And the researchers note that the fragments of Spanish may be a “false flag” operation: The software’s authors may have deliberately inserted Spanish slang into the software’s source code to divert attention from the real authors.

Kaspersky believes the espionage operation belongs to a nation state because of its sophistication and because of an exploit the attackers used that the Kaspersky researchers believe may have been sold to the attackers by Vupen, a company in France that sells zero-day exploits to law enforcement and intelligence agencies.

Vupen sparked controversy in 2012 when they used the same vulnerability — then a zero-day — to win the Pwn2Own contest at the CanSecWest conference in Vancouver. The exploit Vupen designed allowed them to bypass the security sandbox in Google’s Chrome browser.

Vupen co-founder Chaouki Bekrar refused at the time to provide details about the vulnerability to Google, saying he would be withholding the information to sell to his customers.

Raiu says they don’t know for certain that the Mask attackers used the Vupen exploit to attack the Flash vulnerability, but the code is “really really sophisticated” and it’s highly unlikely that the attackers would have created their own separate exploit, he says.

Vupen today said the exploit was not theirs.

The Mask attackers designed at least two versions of their malware – for Windows and Linux-based machines – but the researchers believe there may also be mobile versions of the attack for Android and iPhone/iPad devices, based on some evidence they uncovered.

They targeted victims through spear-phishing campaigns that included links to web pages where the malware loaded to their machines. In some cases, the attackers used familiar-seeming subdomains for their malicious URLs to trick victims into thinking they were visiting legitimate sites for the top newspapers in Spain or for the Guardian and Washington Post. Once the user was infected, the malicious web site redirected users to the legitimate site they sought.

Kaspersky discovered the operation last year when the attackers attempted to exploit a five-year-old vulnerability in a previous generation of Kaspersky’s security software that had long-ago been patched.

Kaspersky researchers have sinkholed about 90 of the C&C domains the attackers were using, and the operation was shut down last week within a few hours of a short blog post the researchers published with a few details of the Mask campaign. Raiu said that after the post was published, the Mask operators rolled up their campaign within about four hours.

“We observed a very high degree of professionalism in the operational procedures of the group behind this attack,” Raiu says. “From infrastructure management, shutdown of the operation, avoiding curious eyes through access rules and using wiping instead of deletion of log files. These combine to put this APT ahead of Duqu in terms of sophistication, making it one of the most advanced threats at the moment.”

However, Raiu said that the attackers could resurrect the operation without much trouble.

“They could come back very quickly if they wanted,” he said.

The emergence of the malware underscores that software-based espionage is an important new source of power. Last year, documents leaked by Edward Snowden revealed that the National Security Agency has a large “Tailored Access Operations” department dedicated to building offensive hacking capabilities. If the NSA didn’t build Careto, it’s a safe bet that they have something like it. And intelligence agencies in China, Russia and other great powers are likely working on software like it too.


  1. […] to Regin, it was infected by four other highly advanced pieces of malware, including Turla, Careto/Mask, ItaDuke (See Also MiniDuke), and Animal Farm. A never-before-seen sample of malware on the […]


  2. […] modular approach has been seen in other sophisticated malware families such as Flamer and Weevil (The Mask), while the multi-stage loading architecture is similar to that seen in the Duqu/Stuxnet family of […]


  3. […] of the country’s government. This was highlighted by another recently discovered cyberweapon, The Mask, containing Spanish language snippets. “We should also not exclude the possibility of a false […]


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: