If you don’t know about the newly discovered nation-state espionage malware “The Mask” yet, you will, as some security experts expect it’s the mother model of future cyber weapons for advanced persistent threat (APT) campaigns.
So what makes The Mask so slick and sick? For one thing, the advanced cyber-espionage malware campaign has been used in attacks since at least 2007 and yet managed to go undetected for all these years. For another, it’s the complexity of the attackers’ toolset. Yet another is the fact that the data sent both to and from the command-and-control (C&C) server was encrypted with an RSA key. Kaspersky Lab researchers [pdf] said, “This double encryption is uncommon and shows the high level of protection implemented by the authors of the campaign.” And about those authors . . .
When you think about “one of the most advanced” nation-state cyber-espionage threats, what country jumps to mind? Ah, not so fast; it seems as if it’s not China, not Russia, not the U.S. , Israel, or North Korea this time. Based upon some Spanish words in the code, Kaspersky Lab said The Mask’s authors “appear to be speaking the Spanish language.” But if you’ve placed a call to any U.S. corporation and needed to then “press 1” for English, it’s clear that Spanish is fairly common in numerous countries. By using the Spanish slang word “Careto,” which means “ugly face” or “mask” in some of the malware modules, wouldn’t that be a pretty slick trick to deflect blame onto another country? Yet security expert Bruce Schneier advised, “Spain, if it is you, attack a few sites in the Falklands next time -- and use a separate tool for Morocco.”
The attackers’ exceptionally complex toolset included “an extremely sophisticated malware, a rootkit, a bootkit, 32-and 64-bit Windows versions.” If you don’t use Microsoft Windows and therefore think you’re safe from The Mask, then think again; Kaspersky Lab [pdf] also found versions of the malware for Linux, Mac OS X and “possibly versions” for backdoors in “Android and iPad/iPhone (Apple iOS).” And oh joy, oh bliss, Kaspersky researchers believe that “expanding their toolkits to include Linux and Mac ‘support,’ indicates an important trend in the world of APTs.”
But if you are just a “regular” person, then you likely wouldn’t be targeted by The Mask’s attackers who are believed to be sponsored by a nation-state. Although Kaspersky identified “380 unique victims in 31 countries,” the main targets have been government institutions, diplomatic offices and embassies, energy, oil and gas companies, research institutions, private equity firms and activists.
However, if you were a target, then The Mask attackers could pwn you six-ways from Sunday and back again. "Basically, everything secured and confidential easily becomes available and in a plain text," explained Kaspersky Lab's Dmitry Bestuzhen. “For the victims, an infection with Careto can be disastrous,” stated the Kaspersky announcement. “Careto intercepts all communication channels and collects the most vital information from the victim’s machine. Detection is extremely difficult because of stealth rootkit capabilities, built-in functionalities and additional cyber-espionage modules.”
The researchers wrote in their report [pdf]:
When active in a victim system, The Mask can intercept network traffic, keystrokes, Skype conversations, PGP keys, analyze Wi-Fi traffic, fetch all information from Nokia devices, screen captures and monitor all file operations.
The malware collects a large list of documents from the infected system, including encryption keys, VPN configurations, SSH keys and RDP [remote desktop protocol] files. There are also several extensions being monitored that we have not been able to identify and could be related to custom military/government-level encryption tools.
Last month, as Kaspersky was preparing to publish its report, the suspected nation-state attacks went dark as the APT actors shut down all operations. Based on the “very high degree of professionalism” in the attackers’ operational procedures, such as “monitoring of their infrastructure, shutdown of the operation, avoiding curious eyes through access rules, using wiping instead of deletion for log files and so on,” Kaspersky called the APT group behind The Mask “elite.”
The attack relied on social engineering, according to Kaspersky’s analysis, and depended upon highly targeted spear-phishing emails linked to malicious websites. Phishing bait for The Mask was sometimes email linking to imitated news sites “like The Guardian and Washington Post,” newspapers in Spain, or even YouTube. Kaspersky researchers noted that “the exploit websites do not automatically infect visitors; instead, the attackers host the exploits at specific folders on the website, which are not directly referenced anywhere, except in malicious e-mails.” After the attackers’ malicious site successfully infected a victim, it would then redirect the victim to the benign site referenced in the email.
The attack is designed to handle all possible cases and potential victim types. Depending on the operating system, browser and installed plugins, the user is redirected to different subdirectories, which contain specific exploits for the user’s configuration that are most likely to work.
The researchers found exploits for Java, Adobe Flash and malicious plugins for Chrome and Firefox, on Windows, Linux and OS X. Regarding the Flash exploit (CVE-2012-0773), which was “originally discovered by French company VUPEN and used to win the Pwn2Own contest in 2012,” Kaspersky wrote that VUPEN “sold” it “to governments as a 0-day.” The Flash exploit coming from VUPEN is something the "leading provider of government-grade zero-day exploits" has vehemently denied in public.
Kaspersky put this APT operation “above Duqu in terms of sophistication, making it one of the most advanced threats at the moment.” Then at the Kaspersky Security Analyst Summit 2014, Costin Raiu, head of the Global Research Analysis Team at Kaspersky, added, “These guys are better than the Flame APT group because of the way that they managed their infrastructure. The speed and professionalism is beyond that of Flame or anything else that we’ve seen so far.”
This led other security experts to declare it’s the mother of future cyber weapons. For example, Tatu Ylonen, chief executive of SSH Communications Security, told CSO, "It will serve as a model for new cyber-weapon developers worldwide. Future viruses and cyber-weapons will share many of its features."
Hopefully, this wasn't too technical as that tends to glaze over the eyes and lose people who don't live-and-breathe security news. If you want the technical guts of The Mask, then you really should read Kaspersky's analysis "Unveiling 'Careto' - The Masked APT" [pdf].