PUNTA CANA – Researchers from Kaspersky Lab have unveiled details on a sophisticated cyber-espionage campaign that the security firm is calling the most advanced it has ever seen.
At Kaspersky Lab’s Security Analyst Summit, taking place this week in Punta Cana, Dominican Republic, researchers said the operation is the work of an “advanced Spanish-language speaking threat actor” that has been involved in the global operation since at least 2007.
Named “The Mask”, and also referred to as “Careto” due to references in some of the malware modules, what makes the operation so interesting is the complexity of the toolset used by the attackers, including an extremely sophisticated malware, a rootkit, bootkit, Mac and Linux versions and possibly versions for iOS.
“They are absolutely an elite APT group,” Costin Raiu, Director of the Global Research and Analysis Team at Kaspersky Lab, told a group of journalists in a briefing Monday morning.
The Spanish-speaking attackers are targeting government entities, energy, oil & gas companies and other high-profile victims such as research institutions and private equity firms, with the goal of collecting sensitive data from infected systems.
“They are one of the best I have seen,” Raiu said. “Previously, in my opinion, the best APT group was the one behind Flame. Now, I have changed my opinion—these guys are better than [the Flame APT group] because of the way they manage the infrastructure and way they react to threats.”
“The speed and reaction and the professionalism of The Mask is beyond that of Flame and anything else that we have seen so far,” Raiu said.
While the exact number of victims is not known, Kaspersky Lab said it has observed victims at more than 1000 IP addresses in 31 countries. Infections in Morocco and Brazil lead the list, with the UK, France and Spain following.
Interestingly, The Mask uses a customized attack against older Kaspersky products in order to hide in the system.
Based on the complexity of the malware and several other factors, Kaspersky Lab believes the operation is a nation-state sponsored effort.
Powerful and difficult to detect, Careto intercepts all the communication channels and collects the most vital information from the victim’ system.
Detection is extremely difficult because of its stealth rootkit capabilities, and in addition to built-in functionalities, the attackers can upload additional modules which can perform virtually any function.
So far, attacks have been seeing using multiple vectors, including an Adobe Flash Player exploit that targets CVE-2012-0773, a vulnerability patched by Adobe by the end of 2012. According to Kaspersky Lab, the exploit was originally discovered by VUPEN and was used in 2012 to escape the Google Chrome sandbox to win the CanSecWest Pwn2Own contest. However, Raiu said that vulnerability research firm VUPEN refused to share the exploit details with Pwn2Own organizers and claim a prize.
Chaouki Bekrar, VUPEN’s CEO, said the exploit was NOT from his company, however. “Our official statement about #Mask: the exploit is not ours, probably it was found by diffing the patch released by Adobe after #Pwn2Own,” he wrote on Twitter.
As is the case with a majority of APT attacks, The Mask campaign leverages spear-phishing e-mails with links to a malicious website.
“The malicious website contains a number of exploits designed to infect the visitor, depending on system configuration,” Kaspersky explained. “Upon successful infection, the malicious website redirects the user to the benign website referenced in the e-mail, which can be a YouTube movie or a news portal.”
The malware collects a large list of documents from infected systems, including encryption keys, VPN configurations, SSH keys and RDP files.
“They are stealing documents and Adobe reader encryption keys, something that would allow them to sign documents as the owner of the keys,” Raiu explained.
Other unknown file extensions that could be connected to custom government applications were also targeted, Raiu said.
After making a preview announcement about The Mask last week, Raiu said the attackers moved quickly and began shutting down their command and control infrastructure with four hours. Raiu also said that Apple shut down a command and control server last week.
“It’s completely dead now,” Raiu said. “However, if they wanted, they could resume operations very quickly.”
“Cyberespionage campaigns conducted by professional teams are increasingly common,” Symantec’s Stephen Doherty noted in a blog post following Kaspersky’s announcement. “Numerous espionage operations spanning years have been highlighted over the last few years. Examples include Flamer, MiniDuke, and Hidden Lynx. The Mask joins this notorious list but also shows how the targets of these sophisticated campaigns are becoming increasingly diverse.”
The full 64-page report from Kaspersky Lab with additional details on The Mask is available here in PDF format.
*Updated with comment from VUPEN.