Skip to main content

"The Mask" revealed: Advanced malware taking shots at government and activists

Kaspersky labs has uncovered one of the most advanced global malware threats ever to be discovered, according to the latest reports.

Dubbed "The Mask", or "Careto"the program is a sophisticated cyber espionage tool apparently developed in a Spanish-speaking country.

The primary targets range from government institutions, diplomatic offices and embassies, energy, oil and gas companies, research organisations and activists, and have been found across 31 countries around the world.

Kaspersky believes The Mask may have been active since as early as 2007.

The main objective of the attackers is apparently to gather sensitive data from systems it infects. These include office documents, but also various encryption keys, VPN configurations, SSH keys (which identify a user to an SSH server) and RDP files (used by the Remote Desktop Client to automatically open a connection).

The sophisticated nature of the malware has led researchers to the conclusion that The Mask was created with the support of a state or government.

"Several reasons make us believe this could be a nation-state sponsored campaign," said Costin Raiu, Director of the Global Research and Analysis Team (GReAT) at Kaspersky Lab.

"First of all, we observed a very high degree of professionalism in the operational procedures of the group behind this attack. From infrastructure management, shutdown of the operation, avoiding curious eyes through access rules and using wiping instead of deletion of log files. These combine to put this APT ahead of Duqu in terms of sophistication, making it one of the most advanced threats at the moment," said "This level of operational security is not normal for cyber-criminal groups."

However, it's not clear who could have written such a program, or why.

"Just looking at the targets, it is not obvious who would want to target them; there is no obvious pattern," said Liam O'Murchu, a researcher at Symantec.

"The code is professionally written, but it's even difficult to say whether is it written by a government or by a private company that sells this type of software."

Kaspersky were also the team behind the discovery of the advanced Flame malware, which they described at the time as possibly "the most sophisticated cyber weapon yet unleashed."

In 2010, the Stuxnet worm was discovered on computer system belonging to the Iranian nuclear programme, and a follow-up dubbed "Duqu" also caused havoc a year later.

Who designed and distributed The Mask isn't clear yet, but one thing seems to be certain: the NSA aren't the only players in the global cyber espionage game.