Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Malware & Threats

Kaspersky Unveils ‘The Mask’ – Most Advanced Cyber Espionage Operation Seen To Date

PUNTA CANA – Researchers from Kaspersky Lab have unveiled details on a sophisticated cyber-espionage campaign that the security firm is calling the most advanced it has ever seen.

PUNTA CANA – Researchers from Kaspersky Lab have unveiled details on a sophisticated cyber-espionage campaign that the security firm is calling the most advanced it has ever seen.

At Kaspersky Lab’s Security Analyst Summit, taking place this week in Punta Cana, Dominican Republic, researchers said the operation is the work of an “advanced Spanish-language speaking threat actor” that has been involved in the global operation since at least 2007.

The Mask APT CampaignNamed “The Mask”, and also referred to as “Careto” due to references in some of the malware modules, what makes the operation so interesting is the complexity of the toolset used by the attackers, including an extremely sophisticated malware, a rootkit, bootkit, Mac and Linux versions and possibly versions for iOS.

“They are absolutely an elite APT group,” Costin Raiu, Director of the Global Research and Analysis Team at Kaspersky Lab, told a group of journalists in a briefing Monday morning.

The Spanish-speaking attackers are targeting government entities, energy, oil & gas companies and other high-profile victims such as research institutions and private equity firms, with the goal of collecting sensitive data from infected systems.

“They are one of the best I have seen,” Raiu said. “Previously, in my opinion, the best APT group was the one behind Flame. Now, I have changed my opinion—these guys are better than [the Flame APT group] because of the way they manage the infrastructure and way they react to threats.”

“The speed and reaction and the professionalism of The Mask is beyond that of Flame and anything else that we have seen so far,” Raiu said.

While the exact number of victims is not known, Kaspersky Lab said it has observed victims at more than 1000 IP addresses in 31 countries. Infections in Morocco and Brazil lead the list, with the UK, France and Spain following.

The Mask Malware Infections Map

Interestingly, The Mask uses a customized attack against older Kaspersky products in order to hide in the system.

Advertisement. Scroll to continue reading.

Based on the complexity of the malware and several other factors, Kaspersky Lab believes the operation is a nation-state sponsored effort.

Powerful and difficult to detect, Careto intercepts all the communication channels and collects the most vital information from the victim’ system.

Detection is extremely difficult because of its stealth rootkit capabilities, and in addition to built-in functionalities, the attackers can upload additional modules which can perform virtually any function.

So far, attacks have been seeing using multiple vectors, including an Adobe Flash Player exploit that targets CVE-2012-0773, a vulnerability patched by Adobe by the end of 2012. According to Kaspersky Lab, the exploit was originally discovered by VUPEN and was used in 2012 to escape the Google Chrome sandbox to win the CanSecWest Pwn2Own contest. However, Raiu said that vulnerability research firm VUPEN refused to share the exploit details with Pwn2Own organizers and claim a prize.

Chaouki Bekrar, VUPEN’s CEO, said the exploit was NOT from his company, however. “Our official statement about #Mask: the exploit is not ours, probably it was found by diffing the patch released by Adobe after #Pwn2Own,” he wrote on Twitter.

As is the case with a majority of APT attacks, The Mask campaign leverages spear-phishing e-mails with links to a malicious website.

“The malicious website contains a number of exploits designed to infect the visitor, depending on system configuration,” Kaspersky explained. “Upon successful infection, the malicious website redirects the user to the benign website referenced in the e-mail, which can be a YouTube movie or a news portal.”

The malware collects a large list of documents from infected systems, including encryption keys, VPN configurations, SSH keys and RDP files.

“They are stealing documents and Adobe reader encryption keys, something that would allow them to sign documents as the owner of the keys,” Raiu explained.

Other unknown file extensions that could be connected to custom government applications were also targeted, Raiu said.

After making a preview announcement about The Mask last week, Raiu said the attackers moved quickly and began shutting down their command and control infrastructure with four hours. Raiu also said that Apple shut down a command and control server last week.

“It’s completely dead now,” Raiu said. “However, if they wanted, they could resume operations very quickly.”

“Cyberespionage campaigns conducted by professional teams are increasingly common,” Symantec’s Stephen Doherty noted in a blog post following Kaspersky’s announcement. “Numerous espionage operations spanning years have been highlighted over the last few years. Examples include Flamer, MiniDuke, and Hidden Lynx. The Mask joins this notorious list but also shows how the targets of these sophisticated campaigns are becoming increasingly diverse.” 

The full 64-page report from Kaspersky Lab with additional details on The Mask is available here in PDF format.

*Updated with comment from VUPEN.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Bill Dunnion has joined telecommunications giant Mitel as Chief Information Security Officer.

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Cisco is warning of a zero-day vulnerability in Cisco ASA and FTD that can be exploited remotely, without authentication, in brute force attacks.