PUNTA CANA – Researchers from Kaspersky Lab unveiled details on a sophisticated cyber-espionage campaign that the security firm is calling most advanced it has ever seen.
At Kaspersky Lab’s Security Analyst Summit, taking place this week in Punta Cana, Dominican Republic, researchers said The Mask is the work of an “advanced Spanish-language speaking threat actor” that has been involved in the global operations since at least 2007.
Named “The Mask”, and also referred to as “Careto” due to references in some of the malware modules, what makes the operation so interesting is the complexity of the toolset used by the attackers, including an extremely sophisticated malware, a rootkit, bootkit, Mac and Linux versions and possibly versions for iOS.
“They are absolutely an elite APT group,” Costin Raiu, Director of the Global Research and Analysis Team at Kaspersky Lab, told a group of journalists in a briefing Monday morning.
The Spanish-speaking attackers are targeting government entities, energy, oil gas companies and other high-profile victims such as research institutions and private equity firms, with the goal of collecting sensitive data from infected systems.
“They are one of the best I have seen,” Raiu said. “Previously, in my opinion, the best APT group was the one behind Flame. Now, I have changed my opinion—these guys are better than [the Flame APT group] because of the way they manage the infrastructure and way they react to threats.”
“The speed and reaction and the professionalism of The Mask is beyond that of Flame and anything else that we have seen so far,” Raiu said.
While the exact number of victims is not known, Kaspersky Lab said it has observed victims at more than 1000 IP addresses in 31 countries. Infections in Morocco and Brazil led the list, with the UK, France and Spain following.
Interestingly, The Mask uses a customized attack against older Kaspersky products in order to hide in the system.
Based on the complexity of the malware and several other factors, Kaspersky Lab believes the operation is a nation-state sponsored effort.
Powerful and difficult to detect, Careto intercepts all the communication channels and collects the most vital information from the victim’ system.
Detection is extremely difficult because of its stealth rootkit capabilities, and in addition to built-in functionalities, the attackers can upload additional modules which can perform virtually any function.
So far, attacks have been seeing using multiple vectors, including an Adobe Flash Player exploit that targets CVE-2012-0773, a vulnerability patched by Adobe in by the end of 2012. According to Kaspersky Lab, the exploit was originally discovered by VUPEN and was used in 2012 to escape the Google Chrome sandbox to win the CanSecWest Pwn2Own contest. However, Raiu said that vulnerability research firm Vupen refused to share the exploit details with Pwn2Own organizers and claim a prize.
As is the case with a majority of APT attacks, The Mask campaign leverages spear-phishing e-mails with links to a malicious website.
“The malicious website contains a number of exploits designed to infect the visitor, depending on system configuration,” Kaspersky explained. “Upon successful infection, the malicious website redirects the user to the benign website referenced in the e-mail, which can be a YouTube movie or a news portal.”
The malware collects a large list of documents from the infected system, including encryption keys, VPN configurations, SSH keys and RDP files.
“They are stealing documents stealing extensions Adobe reader encryption keys, something that would allow them to sign documents as the owner of the keys,” Raiu explained.
Other unknown file extensions that could be connected to custom government applications were also targeted, Raiu said.
After making a preview announcement about The Mask last week, Raiu said the attackers moved quickly and began shutting down their command and control infrastructure with four hours. Raiu also said that Apple shut down a command and control server.
“It’s completely dead now,” Raiu said. “However, if they wanted, they could resume operations very quickly.”
Managing Editor, SecurityWeek.Previous Columns by Mike Lennon:Kaspersky Unveils The Mask – Most Advanced Cyberespionage Operation Seen To DatePalo Alto Networks Launches Its Fastest Next-Generation FirewallSophos Acquires Network Security Firm Cyberoam TechnologiesDysfunctional Congress a Significant Cyber Threat: Security and Compliance ProsRaytheon Gets $9.8 Million Under DARPAs Plan X Cyberwarfare Program
Tags: NEWS INDUSTRY