In early 2013, we announced our research on RedOctober, a cyberespionage operation focusing on diplomatic institutions. In June 2013, we published our research on NetTraveler, and in September, our research on the Kimsuky attacks.
Our analysis of all these different APT operations indicated an unique use of languages, that offer clues regarding some of the people behind these operations. If the comments in the Flame C&C were written in English, artifacts in RedOctober indicated Russian speakers, NetTraveler indicated Chinese natives. Finally, Kimsuky indicated Korean speaking authors, which we linked to North Korea.
During the past months we have been busy analysing yet another sophisticated cyberespionage operation which has been going on at least since 2007, infecting victims in 27 countries. We deemed this operation "The Mask" for reasons to be explained later.
The "Mask" is leveraging high-end exploits, an extremely sophisticated malware which includes a bootkit and rootkit, Mac and Linux versions and a customized attack against Kaspersky products. This is putting them above Duqu in terms of sophistication, making it one of the most advanced threats at the moment.
Most interesting, the authors appears to be native in yet another language which has been observed very rarely in APT attacks.
2014 Feb 04, 19:39
Yes you are right. So far we didn't see anything like that from German gov. It's interesting...
2014 Feb 04, 20:05
I am not very familiar with reverse enginering therefore I ask how do you get on which language is coded. However, if they are top writers, why not is possible that these languages samples found are intentionaly put to take investigation in wrong direction. I mean anything like take nigerinan ip address (through bot) and send nigerian spam. In this case would be equal intentionaly inject these language samples that one can make some conclusion. Is it possible that all this malware samples are written from one team? Just asking.