The Mask – Unveiling the World’s Most Sophisticated APT Campaign

PUNTA CANA–A hacking group likely backed by an unknown national government has been targeting government agencies, embassies, diplomatic offices and energy companies for more than five years in what Kaspersky

PUNTA CANA–A hacking group likely backed by an unknown national government has been targeting government agencies, embassies, diplomatic offices and energy companies for more than five years in what Kaspersky researchers are calling the most sophisticated advanced persistent threat campaign they have ever seen.

Unveiled yesterday at the company’s Security Analyst Summit in the Dominican Republic, the threat is called “Careto,” which is apparently Spanish for “ugly face” or “mask,” though there appears to be a bit of dissension about this among Spanish speakers.

This campaign is concerning because it pretty clearly demonstrates that the super highly skilled attackers out there are learning, honing their trade, and just generally getting better at infecting, spying, and stealing from very specific targets. It’s also concerning because the Mask has existed under the radar, silently intercepting sensitive data since 2007. Had the attackers not tried to exploit a patched vulnerability in an older version of Kaspersky product, Costin Raiu, the director of the company’s Global Research and Analysis Team, said his researchers might have never found it.

“Exploiting Kaspersky products is most unwise,” Raiu said in his presentation of the Mask.

However, highly sophisticated APT campaigns like this one are generally designed to infect the machines of individuals with access to very specific, highly-sought after networks, in this case mostly those of government agencies and energy companies. In other words, the attackers are not interested in the vast majority of people. Another reason to curb your concern is that whoever is responsible for the campaign shut it down mere hours after Kaspersky’s Global Research and Analysis Team published a preview of the APT campaign.

Exploiting Kaspersky products is most unwise

Kaspersky researchers have sinkholed about 90 of the command and control domains the attackers were using, and Raiu said that after the post was published, the Mask operators shut everything down within about four hours. Sinkholing is a process through which researcher can wrest control of botnet or malware communication infrastructure and redirect traffic away from the malicious servers controlling the campaign.

However, Raiu said that the attackers could resurrect the operation and come back very quickly without much trouble if they wanted.

The campaign is also noteworthy for several reasons. For one, it doesn’t seem to have any connection to China, which is where a lot of these sorts of attacks are alleged to have originated. It’s also interesting because the people that directed the campaign appear to be Spanish speakers, which is novel for sure but not altogether surprising or revelatory considering that the language is second only Mandarin with nearly 400 million Spanish speakers in the world. Targets of the Mask campaign are also predominately Spanish speaking but located in more than 30 countries.

Beyond this, the group is said to have had in their arsenal at least one zero-day and versions of the Mask malware intended to target machines running Mac OS X, Linux, and perhaps even mobile devices running iOS and Android. At least one victim in Morocco, Raiu said, had a device that was communicating with the C&C infrastructure over a mobile 3G network.

“These guys are better than the Flame APT group because of the way that they managed their infrastructure,” said Raiu. “The speed and professionalism is beyond that of Flame or anything else that we’ve seen so far.”

As a point of reference, Flame is another APT campaign uncovered by Kaspersky researchers in 2012. It targeted Middle Eastern countries and was pretty sophisticated in the way it generated fraudulent digital certificates appearing to come directly from Microsoft.

As is so often the case, the Mask attackers targeted their victims with spear-phishing emails that led to a malicious Web sites where the exploits were hosted. The sites were actually loaded with exploits and only accessible through the direct links the attackers sent the victims.

Raiu said that the attackers had a number of different tools at their disposal, including implants that enabled them to maintain persistence on victims’ machines, intercept all TCP and UDP (these are just two different protocols through which communications travel on the Internet) communications in real time and remain invisible on the compromised machine. Raiu said all of the communications between victims and the C&C servers were encrypted.