An advanced malware that has existed since 2007 has been detected by Kaspersky Lab’s security research team. The malware called “The Mask” comes from the Spanish slang “Careto” (meaning ugly face or mask) and is named so because of the inclusion of the word in some of the malware modules. It comes with a sophisticated set of tools such as a rootkit and a bootkit which affects 32 bit/ 64 bit Windows systems, Mac OS X, Linux, and possibly Android and iOS.
The targets of this malware are diplomatic offices and embassies, government institutions, research organizations and activists, energy, oil and gas companies. It has already been detected in 31 countries including China, the US, France, the UK, and Germany and has claimed more than 380 unique victims.
What this malware does is it tries to gather sensitive information from an infected system. The information could be office documents, encryption keys, VPN configurations, RDP files, and SSH keys just to name a few. It can intercept network traffic and even record keystrokes and Skype conversations.
Kaspersky first became aware of The Mask last year when it observed an attempt to exploit one of the vulnerabilities of its product which had been fixed five years ago. This vulnerability allowed a malware to remain invisible and undetected by their security software. This drew their interest which is why an investigation was started.
The security firm then discovered that Careto can be disastrous to systems that are infected. This is because the malware is able to intercept all communications channels and is extremely difficult to remove since it has a stealth rootkit capability.
The mode of infection relies on spear phishing emails. A link is included in an email and when the recipient clicks on the link it opens a malicious website that is designed to infect the visitor. According to Kaspersky “It’s important to note the exploit websites do not automatically infect visitors; instead, the attackers host the exploits at specific folders on the website, which are not directly referenced anywhere, except in malicious e-mails. Sometimes, the attackers use subdomains on the exploit websites, to make them seem more real. These subdomains simulate subsections of the main newspapers in Spain plus some international ones for instance, The Guardian and Washington Post.”
Questions such as where this malware originated from are now being asked. Kaspersky thinks that with a high-powered malware such as this it appears to be sponsored by a nation state and not of an individual.
Costin Raiu, the director of Kaspersky’s Global Research and Analysis Team, said that “Several reasons make us believe this could be a nation-state sponsored campaign. First of all, we observed a very high degree of professionalism in the operational procedures of the group behind this attack. From infrastructure management, shutdown of the operation, avoiding curious eyes through access rules and using wiping instead of deletion of log files. This level of operational security is not normal for cyber-criminal groups.”