Kaspersky Lab said it was able to unravel the mystery behind the espionage campaign called "The Mask."
The espionage campaign has been running since 2007 and it is not attributed to China or Russia but allegedly created by Spanish-speaking authors. The "Mask" is the translation for the Spanish slang "Careto," a term discovered by researchers on some of the malware modules they have exposed.
The Mask or Careto is an advanced persistent threat (APT) that targeted around 380 unique victims spread across 31 nations as of reporting. The list of victims include institutions of governments, embassies, private companies, equity firms, energy firms, and even activists.
"What makes 'The Mask' special is the complexity of the toolset used by the attackers. This includes an extremely sophisticated malware, a rootkit, a bootkit, 32-and 64-bit Windows versions, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone (Apple iOS),", the report [PDF] by Kaspersky Lab read.
"When active in a victim system, The Mask can intercept network traffic, keystrokes, Skype conversations, PGP keys, analyse WiFi traffic, fetch all information from Nokia devices, screen captures and monitor all file operations. The malware collects a large list of documents from the infected system, including encryption keys, VPN configurations, SSH keys and RDP files. There are also several extensions being monitored that we have not been able to identify and could be related to custom military/government-level encryption tools," it added.
The investigation of Kaspersky Lab was prompted by the attempt of the creators of "The Mask" to exploit some of its products. It did not identify the suspect government who launched the cyber espionage program but indicated that it is unusual not to come from the list of usual suspects such as the United States, Russia, Israel, and China that have launched infamous malware such as Stuxnet, Duqu, Icefog, Gauss, and Red October.
Upon investigation, the researchers found out that it has been most active in Morocco and other countries such as Brazil, France, Spain, and the United Kingdom.
The perpetrators made use of two software backdoor packages, the Careto and SGH. These packages were used with other related utilities. The backdoor packages also made use of a valid certificate that belongs to a Bulgarian company called TecSystem Ltd. to avoid detection.
The cyber spying program used malicious links embedded in phishing emails to lead to bogus news websites depicting "The Guardian," "Time," "The Washington Post," plus a number of Spanish dailies.
The Careto also made use of a double layer encryption when communicating with the authors' servers. The encrypted data cannot be read even by those who has physical possession of the servers.
The researchers also mentioned that "The Mask" can make use of a Flash Player exploit discovered by France-based firm Vupen that can slip through the sandbox of Google Chrome. However, Vupen lead researcher and chief executive Chaouki Bekrar immediately dismissed the rumors.
"The exploit is not ours," Bekrar tweeted.
"The Mask" is considered by the researchers as one of most complex APT to date. "For Careto, we observed a very high degree of professionalism in the operational procedures of the group behind this attack, including monitoring of their infrastructure, shutdown of the operation, avoiding curious eyes through access rules, using wiping instead of deletion for log files and so on. This is not very common in APT operations, putting the Mask into the "elite" APT groups section," the conclusion of the report read.