Kaspersky Lab’s security research team recently announced the discovery of “The Mask” (aka Careto), an advanced Spanish-language speaking threat actor that has been involved in global cyber-espionage operations since 2007.
“What makes The Mask special is the complexity of the toolset used by the attackers. This includes an extremely sophisticated malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iOS (iPad/iPhone),” the team said in a report. “The primary targets are government institutions, diplomatic offices and embassies, energy, oil and gas companies, research organizations and activists.”
Kaspersky Lab said victims of this targeted attack have been found in 31 countries around the world – from the Middle East and Europe to Africa and the Americas. The attackers' main objective appears to be to gather sensitive data from the infected systems. These include office documents, but also various encryption keys, VPN configurations, SSH keys (serving as a means of identifying a user to an SSH server) and RDP files (used by the Remote Desktop Client to automatically open a connection to the reserved computer).
“Several reasons make us believe this could be a nation-state sponsored campaign. First of all, we observed a very high degree of professionalism in the operational procedures of the group behind this attack. From infrastructure management, shutdown of the operation, avoiding curious eyes through access rules and using wiping instead of deletion of log files,” said Costin Raiu, Director of the Global Research and Analysis Team (GReAT) at Kaspersky Lab.
“These combine to put this APT ahead of Duqu in terms of sophistication, making it one of the most advanced threats at the moment. This level of operational security is not normal for cyber-criminal groups,” Raiu added.
Kaspersky Lab researchers initially became aware of Careto last year when they observed attempts to exploit a vulnerability in the company’s products, which was fixed five years ago. For the victims, an infection with Careto can be disastrous. Careto intercepts all communication channels and collects the most vital information from the victim’s machine. Detection is extremely difficult because of stealth rootkit capabilities, built-in functionalities and additional cyber-espionage modules.