The Mask is an advanced threat actor that has been involved in cyber-espionage operations since at least 2007.
What makes The Mask special is the complexity of the toolset used by the attackers. This includes an extremely sophisticated piece of malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone (iOS).
The Mask also uses a customized attack against older Kaspersky Lab products in order to hide in the system. This puts it above Duqu in terms of sophistication, making The Mask one of the most advanced threats at the current time. This and several other factors make us believe this could be a state-sponsored operation.
The name "Mask" comes from the Spanish slang word "Careto" ("Mask" or "Ugly Face") that the authors included in some of the malware modules.
The main targets of Careto fall into the following categories:
Although the exact number of victims is unknown, we observed victims at more than 1000 IP addresses in 31 countries. Infections have been observed in: Algeria, Argentina, Belgium, Bolivia, Brazil, China, Colombia, Costa Rica, Cuba, Egypt, France, Germany, Gibraltar, Guatemala, Iran, Iraq, Libya, Malaysia, Mexico, Morocco, Norway, Pakistan, Poland, South Africa, Spain, Switzerland, Tunisia, Turkey, United Kingdom, United States and Venezuela.
Based on an identification algorithm we developed, we counted over 380 unique victims between over 1000+ IPs.
However, considering that victim information has been collected only for some command-and-control servers and sinkholed hosts, the total number of affected countries and unique victims can be much higher.
For the victims, an infection with Careto is disastrous. The malware intercepts all the communication channels and collects the most vital information from the infected system. Detection is extremely difficult because of stealth rootkit capabilities. In addition to built-in functionalities, the operators of Careto can upload additional modules which can perform any malicious task. Given the nature of the known victims, the impact is potentially very high.
The Mask campaign we discovered relies on spear-phishing e-mails with links to a malicious website. The malicious website contains a number of exploits designed to infect the visitor, depending on his system configuration. Upon successful infection, the malicious website redirects the user to the benign website referenced in the e-mail, which can be a YouTube movie or a news portal.
It's important to note the exploit websites do not automatically infect visitors; instead, the attackers host the exploits at specific folders on the website, which are not directly referenced anywhere, except in malicious e-mails. Sometimes, the attackers use sub-domains on the exploit websites, to make them seem more legitimate. These sub-domains simulate sub-sections of the main newspapers in Spain plus some international ones like the Guardian and the Washington Post.
So far, we observed attacks using multiple vectors. These include at least one Adobe Flash Player exploit (CVE-2012-0773). The exploit was designed for Flash Player versions prior to 10.3 and 11.2.
The CVE-2012-0773 was originally discovered by VUPEN and has an interesting story. This was the first exploit to break the Chrome sandbox and was used to win the CanSecWest Pwn2Own contest in 2012. The exploit caused a bit of a controversy because the VUPEN team refused to reveal how they escaped the sandbox, claiming they were planning to sell the exploit to their customers. It is possible that the Careto threat actor purchased this exploit from VUPEN.(See story by Ryan Naraine)
Other vectors used include social engineering, asking the user to download and execute a JavaUpdate.jar file or to install a Chrome browser plugin. We suspect other exploits exist as well, but we haven-t been able to retrieve them from the attack server.
So far, we observed Trojans for Microsoft Windows and Mac OS X. Some of the exploit server paths contain modules that appear to have been designed to infect Linux computers, but we have not yet located the Linux backdoor. Additionally, some of the C&C artifacts (logs) indicate that backdoors for Android and Apple iOS may also exist.
We suspect an iOS backdoor exists but we haven't been able to locate it yet. The suspicion is based on a debug log from one of the C&C servers where a victim in Argentina is identified and logged as having a user agent of "Mozilla/5.0 (iPad; CPU OS 6_1_3 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B329". This appears to indicate it is an iPad, although without a sample, it's hard to be sure.
In addition to this, we also suspect the existence of an Android implant. This is based on a unique version identifier sent to the C&C which is "AND188.8.131.52". Communications with this unique identifier have been observed over 3G links, indicating a possible mobile device.
What makes The Mask special is the complexity of the toolset used by the attackers. This includes extremely sophisticated malware, a rootkit, a bootkit, Mac and Linux versions and possibly versions for Android and iPad/iPhone (Apple iOS).
Also, The Mask uses a customized attack against older Kaspersky products in order to hide in the system. This puts it above Duqu in terms of sophistication, making The Mask one of the most advanced APTs at the current time. This and several other factors make us believe this could be a state-sponsored operation.
We initially became aware of Careto when we observed attempts to exploit a vulnerability in our products to make the malware "invisible" in the system.
Of course, this raised our interest and our research team decided to investigate further. In other words, the attackers attracted our attention by attempting to exploit Kaspersky Lab products.
Although the vulnerability in the products was discovered and fixed five years ago, there is still a possibility that there are users out there who haven't updated the product. In such cases the exploit can still be active, although it will not prevent us from removing the malware and cleaning the system.
Careto is a highly modular system; it supports plugins and configuration files which allow it to perform a large number of functions.
Variants of Careto have different compilation timestamps going back to 2007. Most modules were created in 2012.
At the moment, all known Careto C&C servers are offline. The attackers began taking them offline in January 2014. We were also able to sinkhole several C&C servers, which allowed us to gather statistics on the operation.
The malware collects a large list of documents from the infected system, including encryption keys, VPN configurations, SSH keys and RDP files. There are also several unknown extensions being monitored that we have not been able to identify and could be related to custom military/government-level encryption tools.
Here's the full list of collected files from the configurations we analyzed:
The Mask uses a customized attack against older Kaspersky Lab products in order to hide in the system. In addition, it includes a rootkit, a bootkit, Linux/Mac versions and possibly a version for Apple iOS. This puts it above Duqu in terms of sophistication, making The Mask one of the most advanced APTs at the current time.
Also, we observed a very high degree of professionalism in the operational procedures of the group behind this attack, including monitoring of their infrastructure, shutdown of the operation, avoiding curious eyes through access rules, using wiping instead of deletion for log files, etc. This level of operational security is not normal for cybercriminal groups.
This and several other factors make us believe this could be a state-sponsored campaign.
Attribution is a difficult task. On the internet, it is extremely difficult to make a solid attribution due to the volatile nature of the way it was built.
Some clues such as the use of the Spanish language are weak, as it is spoken in many countries, including Latin America, Mexico or the United States (for instance in Miami, where a strong Spanish-speaking community exists).
We should also keep in mind the possibility of false flag attacks before making any solid assumption on the identity of who is responsible without very solid proof.
Some Careto samples were compiled as far back as 2007. The campaign was active until January 2014, but during our investigations the C&C servers were shut down.
That's at least five years. We cannot rule out the possibility of the attackers resurrecting the campaign at some point in the future.
The Windows backdoor is extremely sophisticated, and the attackers used a number of techniques in order to try to make the attack stealthier. These include injection into system libraries and attempting to exploit older Kaspersky Lab products to avoid detection.
Additionally, the exploits cover all potential target systems, including Mac OS X and Linux. Also, the communication between different exploit shellcode modules is done through cookies, which is quite an unusual technique.
Yes. Our products detect and remove all known versions of the malware used by the attackers. Detection names:
Yes, IOC information has been included in our detailed technical research paper.
You can read our full report here.
2014 Feb 11, 18:17
'Careto' may be more likely from Brazil
Due to their technical proficiency, Brazil (where they speak Portuguese) may be more likely the source of that APT than Spain or its purportedly independent colonies in America.
Re: 'Careto' may be more likely from Brazil
Through an oblique reference to an article in Wikipedia mixtecatl may be providing a key clue to the puzzle of The Mask, aka Careto. "The Careto tradition is a pre-historical Celtic religious ritual, from northeastern Portugal." Mixtecatl goes on to make a connection from Portugal to Brazil–the language they share–Brazil a distant second to Morocco in number of attacks.
Mixtecatl suspects Brazil because of "their technical proficiency"–however, geography points strongly to Portugal itself.
Not only is Careto a tradition of Portugal (not Brazil),
• Portugal itself is entirely exempt from attack, although
• countries in close proximity to Portugal come under attack–Morocco, the United Kingdom, Spain, France, Switzerland, and Libya– these being six of the seven countries experiencing the most attacks,
• the seventh being Brazil, linked to Portugal by language