Kaspersky Uncovers One of the Most Complex Global Cyber-espionage Operations from Spain

Kaspersky Lab (News - Alert) has unearthed a new threat called 'The Mask' (aka Careto), which the company rates as one of the most advanced global cyber espionage operations to date.

Mask is special because of the complexity of the toolset used in the attack. The technology includes sophisticated malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iOS (iPad/iPhone (News - Alert)).  The Mask also used a customized attack against Kaspersky Lab's products, the company said.

The espionage, as it looks now, aims to leak sensitive information from various government agencies and corporations in several countries. Kaspersky says primary targets are government institutions, diplomatic offices and embassies, energy, oil and gas companies, research organizations and activists.

Kaspersky team suspects it could be a nation-state sponsored campaign because they observed a very high degree of professionalism in the operational procedures of the group behind this attack.

The authors appear to be native in the Spanish language, which has been observed very rarely in APT (News - Alert) attacks Kaspersky said. The campaign was active for at least five years until January 2014. Kaspersky Lab researchers first noticed Careto last year when they observed attempts to exploit a vulnerability in the company's products which was fixed five years ago.

Kaspersky Lab says the exploit then provided the malware the capability to avoid detection. This is when Kaspersky started investigating the problem. During their investigation, the command-and-control (C&C) servers were shut down.

As per the report from Kaspersky Lab, over 380 unique victims between 1000+ IPs have been victims of Careto. They belong to countries like Algeria, Argentina, Belgium, Bolivia, Brazil, China, Colombia, Costa Rica, Cuba, Egypt, France, Germany, Gibraltar, Guatemala, Iran, Iraq, Libya, Malaysia, Mexico, Morocco, Norway, Pakistan, Poland, South Africa, Spain, Switzerland, Tunisia, Turkey, United Kingdom, United States and Venezuela.

“From infrastructure management, shutdown of the operation, avoiding curious eyes through access rules to using wiping instead of deletion of log files,” said Costin Raiu, director of the Global Research and Analysis Team (GReAT) at Kaspersky Lab. “These combine to put this APT ahead of Duqu in terms of sophistication, making it one of the most advanced threats at the moment.”

According to Raiu, this level of operational security is not normal for cyber criminal groups.

Kaspersky Lab's analysis report says 'The Mask' traps users through spear-phishing  e-mails with links to a malicious website that redirects users to the benign website reference in the e-mail, which can be a YouTube (News - Alert) movie or a news portal.

The detection is extremely difficult because of stealth rootkit capabilities. However, Kaspersky Lab's products detect and remove all known versions of 'The Mask'/Careto malware, they added.