The main target of attackers is to gather sensitive data from "infected" systems. This includes documents, as well as various encryption keys, VPN settings, SSH keys (as a means of identifying a user on an SSH server), as well as RDP files (files used by Remote Desktop Client to automatically open a connection).
"There are many reasons why we believe this could be a state-sponsored campaign. First of all, we noticed a very high degree of professionalism in the operational processes of the team behind this attack: from the management of the infrastructure, the downtime of the company, the way they avoided being exposed through access rules, up to fact that they completely wiped out their actions instead of deleting the logs. "The combination of the above shows that this threat goes beyond Duqu in terms of development, making it one of the most advanced we have received so far," said Costin Raiu, Director, Global Research and Analysis Team (GReAT) of Kaspersky Lab.
Kaspersky Lab researchers first grasped this threat with 2013 when they noticed attempts to exploit a vulnerability of its own products, which had been corrected five years ago. The exploit allowed malware to avoid detection. Naturally, this situation has provoked the company's interest and so began the investigation.
For his victims, the virus Careto μπορεί να έχει καταστροφικά αποτελέσματα. Παρακολουθεί όλα τα κανάλια επικοινωνίας και συλλέγει τις πιο ζωτικής σημασίας πληροφορίες από το machine του θύματος. Ο εντοπισμός του είναι εξαιρετικά δύσκολος, λόγω των υψηλών δυνατοτήτων stealth rootkit, των ενσωματωμένων λειτουργιών του και των επιπρόσθετων μονάδων ψηφιακής κατασκοπείας.
Key Finds:
- Φαίνεται ότι η ισπανική language είναι η μητρική αυτών που ανέπτυξαν την απειλή, κάτι που έχει παρατηρηθεί πολύ σπάνια σε αντίστοιχες επιθέσεις.
- Η εκστρατεία ήταν ενεργή για τουλάχιστον πέντε χρόνια μέχρι τον Ιανουάριο του 2014 (μερικά δείγματα του Careto φαίνεται ότι αναπτύχθηκα από το 2007). Κατά τη διάρκεια των investigations της Kaspersky Lab, είχε τερματιστεί η λειτουργία των command-and-control servers.
- Over 380 victims have been detected in more than 1000 IP addresses. Affected systems are located in: Algeria, Argentina, Belgium, Bolivia, Brazil, China, Colombia, Costa Rica, Cuba, Egypt, France, Germany, Gibraltar, Guatemala, Iran, Iraq, Libya, Malaysia, Mexico, Morocco, Norway, Pakistan , Poland, South Africa, Spain, Switzerland, Tunisia, Turkey, the United Kingdom, the United States and Venezuela.
- The complexity and global footprint of the tools used by the attackers makes this digital espionage business very special. Among other things, this campaign exploited sophisticated exploits, a highly advanced malware, a rootkit, a bootkit, and was developed in Mac OS X and Linux versions and - possibly - for Android and iOS. The Mask also used a custom attack against Kaspersky Lab's products.
- Among other tools, at least one Adobe was used Flash Player exploit (CVE-2012-0773). This exploit was designed for versions of Flash Player prior to 10.3 and 11.2. It was first discovered by VUPEN and 2012 was used to escape the Google Chrome sandbox and win the CanSecWest Pwn2Own contest.
According to Kaspersky Lab's analysis, The Mask campaign is offensive phishing emails, with links that led to a malicious site. The malicious website contains a series of exploits designed to "infect" the visitor, depending on his system settings. After the successful "infection," the malicious web page redirects the user to the secure email address that may be a YouTube video or an informational portal.
It should be noted that websites with exploits do not automatically "infect" visitors. Instead, the attackers host the exploits in specific folders on the website, which are not directly referenced anywhere, except in malicious e-mails. Sometimes, attackers use subdomains on the "infected" websites to make them look more realistic.
- These subdomains simulate sub-sections of major Spanish newspapers, as well as some international ones, such as the Guardian and the Washington Post.
Malware monitors all communication channels and collects the most critical information from the "infected" system. Its detection is extremely difficult due to its increased stealth rootkit capabilities. Careto is an extremely modular system. It supports plugins and configuration files, which allow it to perform a large number of operations. In addition to built-in functions, Careto's operators can "upload" additional features that could perform any malicious task.
However, Kaspersky Lab notes that its products detect and erase all known versions of The Mask / Careto.
You can read the full report about it The Mask / Careto, με λεπτομέρειες για τα κακόβουλα tools, τα στατιστικά στοιχεία και τις ενδείξεις προσβολής. Τέλος, μπορείτε να δείτε τις answers to repeated questions about Mask.
