The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

A Glimpse Behind "The Mask"

Kaspersky Lab Expert
Posted February 03, 11:44  GMT
Tags: Microsoft Windows, Apple MacOS, Adobe Flash, Linux, Rootkits, Targeted Attacks, Spearphishing

The world of APTs is a colorful place. In 2012, we uncovered Flame, a massive cyberespionage operation infiltrating computers in the Middle East. Our research indicated a connection with the wellknown Stuxnet cyberweapon, designed to sabotage the Iranian nuclear program.

In early 2013, we announced our research on RedOctober, a cyberespionage operation focusing on diplomatic institutions. In June 2013, we published our research on NetTraveler, and in September, our research on the Kimsuky attacks.

Our analysis of all these different APT operations indicated an unique use of languages, that offer clues regarding some of the people behind these operations. If the comments in the Flame C&C were written in English, artifacts in RedOctober indicated Russian speakers, NetTraveler indicated Chinese natives. Finally, Kimsuky indicated Korean speaking authors, which we linked to North Korea.

During the past months we have been busy analysing yet another sophisticated cyberespionage operation which has been going on at least since 2007, infecting victims in 27 countries. We deemed this operation "The Mask" for reasons to be explained later.

The "Mask" is leveraging high-end exploits, an extremely sophisticated malware which includes a bootkit and rootkit, Mac and Linux versions and a customized attack against Kaspersky products. This is putting them above Duqu in terms of sophistication, making it one of the most advanced threats at the moment.

Most interesting, the authors appears to be native in yet another language which has been observed very rarely in APT attacks.

We will present more details about the "Mask" APT next week at the Kaspersky Security Analyst Summit 2014 (on Twitter, #TheSAS2014).


Oldest first
Threaded view


2014 Feb 04, 19:39


Yes you are right. So far we didn't see anything like that from German gov. It's interesting...



2014 Feb 04, 20:05

common clue?

I am not very familiar with reverse enginering therefore I ask how do you get on which language is coded. However, if they are top writers, why not is possible that these languages samples found are intentionaly put to take investigation in wrong direction. I mean anything like take nigerinan ip address (through bot) and send nigerian spam. In this case would be equal intentionaly inject these language samples that one can make some conclusion. Is it possible that all this malware samples are written from one team? Just asking.

If you would like to comment on this article you must first

Bookmark and Share