The Mask: One Of The Sneakiest Government Malware Campaigns Ever Uncovered

At least 109 UK machines have been targeted in what analysts say is one of the stealthiest cases of digital espionage ever, called ‘The Mask’. The campaign has been going for seven years, and appears to originate from a Spanish-speaking, possibly governmental, source.

The attacks have been ongoing since at least 2007, according to a Kaspersky report, which found 380 unique victims had been targeted across 31 countries.

The attackers used spear phishing emails to lure targets into clicking on links to malicious domains, many of which appeared to be subsections of popular Spanish papers, as well as international publications like The Guardian and The Independent.

Morocco was by far the biggest target, with 391 victim IP addresses. Brazil had 173, followed by 109 in the UK. Spain and France were also home to a large number of victims.

“In total, we observed over 1,000 victims’ IPs in 31 countries. We have also found traces of at least 380 different victim´s IDs according to attackers´ naming schema both in logs and sinkholed requests,” Kaspersky’s report read.

State-sponsored attack

A number of factors pointed to a nation state sponsored effort. Exploits were launched against Java and Flash Player, and a number of malicious plugins for Chrome and Firefox, on Windows, Linux and OS X were also detected.

The Flash Player vulnerability used by the attackers was one uncovered in 2012 by exploit seller, VUPEN, which sells its findings to governments for offensive operations. It claims to only sell to NATO-based nations.

VUPEN’s chief Chaouki Bekrar told TechWeekEurope it was not certain his company sold details of the vulnerability to The Mask attackers. “There are many other talented researchers around the world who are able to analyse a security patch released by Adobe and figure out which flaws were fixed, and then create the corresponding exploits without the need of VUPEN’s assistance or original code,” Bekrar said.

Amongst the targets were activists, government bodies, embassies, and oil and gas firms.

Kaspersky believes the attackers are proficient Spanish speakers, but further attribution details have not been disclosed.

“For Careto, we observed a very high degree of professionalism in the operational procedures of the group behind this attack, including monitoring of their infrastructure, shutdown of the operation, avoiding curious eyes through access rules, using wiping instead of deletion for log files and so on,” the report read.

Super-powered malware

The backdoor was called “Careto”, the Spanish word for “ugly face” or “mask”, whilst the malware itself was referred to as SGH. The SGH caught Kaspersky’s attention when it tried to subvert the company’s software, tricking it into whitelisting updates to the malware.

SGH, described as “an infinitely extensible attack platform”, can intercept network traffic and keystrokes, amongst other data, whilst snooping on Skype conversations. The malware also had the ability to siphon off all information from Nokia devices.

The malicious files were signed with a certificate from TecSystem, a Bulgarian entity, which Kaspersky suspects may be fake.

Given PGP keys used for encrypted email, VPN (virtual private network) configurations, SSH (secure shell) keys and RDP (remote desktop protocol) files were all targeted by the malware, it’s apparent The Mask hackers wanted to subvert privacy protections commonly used by businesses.

Two layers of encryption were used by the attackers for their command and control communications, using RSA keys. “This double encryption is uncommon and shows the high level of protection implemented by the authors of the campaign,” the Kaspersky report read.

The Mask crew also blacklisted a number of IPs used by security researchers, including Kaspersky Lab, Trend Micro and ESET.

Been keeping up with all the latest on Snowden and the NSA? Try our quiz!