Kaspersky Lab has released research findings on Careto, a malware toolkit that has hit more than 380 victims in 31 countries so far since 2007.
“Careto” means “mask” in Spanish, Kaspersky notes.
The word also could point to an ancient tradition incorporated into Portuguese and Brazilian Carnival festivals.
The malware targets government institutions; embassies; the energy, oil and gas sectors; private companies; research institutions; private equity firms; and activists, Kaspersky’s report states.
The attackers are highly sophisticated, according to the firm, which speculates a nation-state may be behind the malware.
“The attackers are really professionals,” Jaime Blasco, director of AlienVault Labs, told TechNewsWorld. “They were able to anticipate Kaspersky’s public disclosure, and they shut down all the infrastructure within four hours of Kaspersky’s publishing a short press release announcing the discovery of the Mask.”
What Makes Up the Mask
The Mask consists of a rootkit and a bootkit, Kaspersky says.
There are 32-bit and 64-bit Windows versions, as well as versions for OS X and Linux.
The malware attacks Android and iOS operations systems, Dmitry Bestuzhev, Kaspersky Lab’s head of research center, Latin America, told TechNewsWorld.
Careto “used exploits for iOS and also Chrome, which previously only had few known vulnerabilities,” he pointed out. “The cost to develop such attacks is pretty high. One has to have very deep pockets to make this attack real.”
Detection is difficult, because “malware like this has the ability to morph based on its environment,” Ken Westin, security researcher for Tripwire, told TechNewsWorld. “It can sniff out what is on the systems and network, and send data to a remote server where it can receive specific exploit code for the targeted system.”
Further, malware can constantly change when downloaded to new systems, so its signature is never the same, Westin said.
The Things Mask Does
Mask uses a customized attack against older versions of Kaspersky Lab products to hide in the system.
It can intercept network traffic, keystrokes, Skype conversations and PGP keys, according to Kaspersky. Mask also can analyze WiFi traffic, fetch information from Nokia devices, capture screens and monitor file operations.
It’s likely that the Nokia phones were specifically included because the attacker “must have previously known that their victims used Nokia mobile devices, so they had to make something 100 percent effective and running on this platform,” Kaspersky’s Bestuzhev said.
Mask collects encryption keys, VPN configurations, SSH keys; and RDP files. It has several extensions that Kaspersky has not yet identified.
“After reading the paper, [I believe] it is indeed the most complex piece of malware ever discovered,” Sorin Mustaca, an IT security expert at Avira, told TechNewsWorld.
How the Malware Attacks
Mask relies on spearphishing emails containing links to a malicious website, Kaspersky said.
Infected visitors later are redirected to a benign website, which could be a YouTube movie or a news portal.
Some malicious websites have subdomains simulating subsections of the main newspapers in Spain, as well as The Guardian and The Washington Post, in order to look genuine.
Mask leverages three separate backdoors. Careto, is a general purpose backdoor that collects system information and executes arbitrary code provided by the C&C servers. Another, called “SGH,” works in kernel mode. It contains rootkit components and interceptor modules, steals files, and maintains its own connection to C&C servers.
The third is a custom compiled backdoor based on the sbd open source netcat clone that is available in Win32, OS X and Linux variants, notes Kaspersky.
To minimize the chances of detection, the malware is signed digitally with a valid certificate from an obscure company called “TecSystem Ltd.,” reports Kaspersky.
Who’s Behind the Mask?
A nation-state may have authored the Mask, Kaspersky suggests.
The Mask “sounds and looks like a big project that required a lot of time, money and resources to accomplish,” Philip Lieberman, president and CEO of Lieberman Software, told TechNewsWorld.
“The operation of the command and control [servers] appears to be professional,” Lieberman continued. “The project appears to be run like a business with funding, technology and proper operations.”
However, it might be too soon to point the finger at a nation-state, cautioned Tripwire’s Westin.