Careto (malware)

Last updated
Careto
AliasThe Mask
Classification Spyware
Isolation date2014
OriginNation state

Careto (Spanish slang for "face"), sometimes called The Mask, is a piece of espionage malware discovered by Kaspersky Lab in 2014. Because of its high level of sophistication and professionalism, and a target list that included diplomatic offices and embassies, Careto is believed to be the work of a nation state. [1] Kaspersky believes that the creators of the malware were Spanish-speaking. [1]

Contents

Because of the focus on Spanish-speaking victims, the heavy targeting of Morocco, and the targeting of Gibraltar, Bruce Schneier speculates that Careto is operated by Spain. [2]

Payload

Careto normally installs a second and more complex backdoor program called SGH. SGH is easily modifiable and also has a wider arsenal including the ability to intercept system events, file operations, and performing a wider range of surveillance features. [3] The information gathered by SGH and Careto can include encryption keys, virtual private network configurations, and SSH keys and other communication channels. [4]

Detection and removal

Careto is hard to discover and remove because of its use of stealth capabilities. In addition, most of the samples have been digitally signed. The signatures are issued from a Bulgarian company, TecSystem Ltd., but the authenticity of the company is unknown. One of the issued certificates was valid between June 28, 2011 and June 28, 2013. Another was valid from April 18, 2013 to July 18, 2016, but was revoked by Verisign. [5]

Careto was discovered when it made attempts to circumvent Kaspersky security products. [6] Upon discovery of Careto trying to exploit their software, Kaspersky started to investigate further. As part of collecting statistics, multiple sinkholes were placed on the command and control servers. [5]

Currently most up-to-date antivirus software can discover and successfully remove the malware.

Distribution

On investigation of the command and control servers, discoveries showed that more than 380 victims were infected. From the information that has been uncovered, the victims were infected with the malware by clicking on a spear phishing link which redirected to websites that had software that Careto could exploit, such as Adobe Flash Player. The player has since been patched and is no longer exploitable by Careto. The websites that contained the exploitable software had names similar to popular newspapers, such as The Washington Post and The Independent. [7]

The malware is said to have multiple backdoors to Linux, Mac OS X, and Windows. Evidence of a possible fourth type of backdoor to Android and IOS was discovered on the C&C servers, but no samples were found. [3]

It is estimated that Careto has been compiled as far back as 2007. It is now known that the attacks ceased in January 2014. [5]

Related Research Articles

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

Watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some member of the targeted group will become infected. Hacks looking for specific information may only attack users coming from a specific IP address. This also makes the hacks harder to detect and research. The name is derived from predators in the natural world, who wait for an opportunity to attack their prey near watering holes.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

<span class="mw-page-title-main">Kaspersky Lab</span> Russian multinational cybersecurity and anti-virus provider

Kaspersky Lab is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky and Alexey De-Monderik. Kaspersky Lab develops and sells antivirus, internet security, password management, endpoint security, and other cybersecurity products and services.

Cyber espionage, cyber spying, or cyber-collection is the act or practice on obtaining secrets and information without the permission and knowledge on the holder of the information using methods on the Internet, networks or individual computers through the use of proxy servers, cracking techniques and malicious software including horses and spyware. Cyber espionage can be used to target various actors- individuals, competitors, rivals, groups, governments, and others- in order to obtain personal, economic, political or military advantages. It may wholly be perpetrated online from computer desks of professionals on bases in far away countries or may involve infiltration at home by computer trained conventional spies and moles or in other cases may be the criminal handiwork on amateur malicious hackers and software programmers.

An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

Stuxnet is a malicious computer worm first uncovered in 2010 and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition (SCADA) systems and is believed to be responsible for causing substantial damage to the nuclear program of Iran. Although neither country has openly admitted responsibility, multiple independent news organizations recognize Stuxnet to be a cyberweapon built jointly by the United States and Israel in a collaborative effort known as Operation Olympic Games. The program, started during the Bush administration, was rapidly expanded within the first months of Barack Obama's presidency.

Flame, also known as Flamer, sKyWIper, and Skywiper, is modular computer malware discovered in 2012 that attacks computers running the Microsoft Windows operating system. The program is used for targeted cyber espionage in Middle Eastern countries.

Mahdi is computer malware that was initially discovered in February 2012 and was reported in July of that year. According to Kaspersky Lab and Seculert, the software has been used for targeted cyber espionage since December 2011, infecting at least 800 computers in Iran and other Middle Eastern countries. Mahdi is named after files used in the malware and refers to the Muslim figure.

Operation Red October or Red October was a cyberespionage malware program discovered in October 2012 and uncovered in January 2013 by Russian firm Kaspersky Lab. The malware was reportedly operating worldwide for up to five years prior to discovery, transmitting information ranging from diplomatic secrets to personal information, including from mobile devices. The primary vectors used to install the malware were emails containing attached documents that exploited vulnerabilities in Microsoft Word and Excel. Later, a webpage was found that exploited a known vulnerability in the Java browser plugin. Red October was termed an advanced cyberespionage campaign intended to target diplomatic, governmental and scientific research organizations worldwide.

<span class="mw-page-title-main">Seculert</span> Israeli cloud-based cyber security technology

Seculert was a cloud-based cyber security technology company based in Petah Tikva, Israel. The company's technology was designed to detect breaches and advanced persistent threats (APTs), attacking networks. Seculert's business was based on malware research and the ability to uncover malware that has gone undetected by other traditional measures.

Regin is a sophisticated malware and hacking toolkit used by United States' National Security Agency (NSA) and its British counterpart, the Government Communications Headquarters (GCHQ). It was first publicly revealed by Kaspersky Lab, Symantec, and The Intercept in November 2014. The malware targets specific users of Microsoft Windows-based computers and has been linked to the US intelligence-gathering agency NSA and its British counterpart, the GCHQ. The Intercept provided samples of Regin for download, including malware discovered at a Belgian telecommunications provider, Belgacom. Kaspersky Lab says it first became aware of Regin in spring 2012, but some of the earliest samples date from 2003. Among computers infected worldwide by Regin, 28 percent were in Russia, 24 percent in Saudi Arabia, 9 percent each in Mexico and Ireland, and 5 percent in each of India, Afghanistan, Iran, Belgium, Austria, and Pakistan.

The Equation Group, classified as an advanced persistent threat, is a highly sophisticated threat actor suspected of being tied to the Tailored Access Operations (TAO) unit of the United States National Security Agency (NSA). Kaspersky Labs describes them as one of the most sophisticated cyber attack groups in the world and "the most advanced (...) we have seen", operating alongside the creators of Stuxnet and Flame. Most of their targets have been in Iran, Russia, Pakistan, Afghanistan, India, Syria and Mali.

Cozy Bear is a Russian advanced persistent threat hacker group believed to be associated with Russian foreign intelligence by United States intelligence agencies and those of allied countries. Dutch signals intelligence (AIVD) and American intelligence had been monitoring the group since 2014 and was able to link the hacker group to the Russian foreign intelligence agency (SVR) after compromising security cameras in their office. CrowdStrike and Estonian intelligence reported a tentative link to the Russian domestic/foreign intelligence agency (FSB). Various groups designate it CozyCar, CozyDuke, Dark Halo, The Dukes, Midnight Blizzard, NOBELIUM, Office Monkeys, StellarParticle, UNC2452 with a tentative connection to Russian hacker group YTTRIUM. Symantec reported that Cozy Bear had been compromising diplomatic organizations and national governments since at least 2010. Der Spiegel published documents in 2023 purporting to link Russian IT firm NTC Vulkan to Cozy Bear operations.

NetTraveler or TravNet is spyware that dates from 2004 and that has been actively used at least until 2016, infecting hundreds of often high-profile servers in dozens of countries.

Xafecopy Trojan is a malware software targeting the Android operating system, first identified in September 2017 by cybersecurity and antivirus provider Kaspersky Lab. According to Kaspersky Lab, Xafecopy infected at least 4,800 users within a month in approximately 47 countries. Users in India were its primary victims, followed by users from Russia, Turkey, and Mexico.

Havex malware, also known as Backdoor.Oldrea, is a Remote Access Trojan (RAT) employed by the Russian attributed APT group "Energetic Bear" or "Dragonfly". Havex was discovered in 2013 and is one of five known ICS tailored malware developed in the past decade. These malwares include Stuxnet, BlackEnergy, Industroyer/CRASHOVERRIDE, and TRITON/TRISIS. Energetic Bear began utilizing Havex in a widespread espionage campaign targeting energy, aviation, pharmaceutical, defense, and petrochemical sectors. The campaign targeted victims primarily in the United States and Europe.

Candiru is a private Tel Aviv-based company founded in 2014 which provides spyware and cyber-espionage services to government clients. Its management and investors overlap significantly with that of NSO Group. Its operations began being uncovered in 2019 by researchers at CitizenLab, Kaspersky, ESET. Microsoft refers to the company's cyber-espionage operations as "Caramel Tsunami/SOURGUM" while Kaspersky refers to it as "SandCat"

Operation Triangulation is a targeted cyberattack on iOS devices conducted using a chain of four zero-day vulnerabilities. It was first disclosed in June 2023 and is notable for its unprecedented technical complexity among iOS attacks. The number of victims is estimated to be in the thousands.

References

  1. 1 2 "Kaspersky Lab Uncovers "The Mask": One of the Most Advanced Global Cyber-espionage Operations to Date Due to the Complexity of the Toolset Used by the Attackers, 11 February 2014". Archived from the original on 21 February 2014. Retrieved 11 February 2014.
  2. ""The Mask" Espionage Malware - Schneier on Security". schneier.com.
  3. 1 2 Lucian Constantin (11 February 2014). "Unveiling 'The Mask': Sophisticated malware ran rampant for 7 years". PCWorld.
  4. "Kaspersky Lab Uncovers "The Mask": One of the Most Advanced Global Cyber-espionage Operations to Date Due to the Complexity of the Toolset Used by the Attackers". Archived from the original on 2014-02-21. Retrieved 2014-02-11.
  5. 1 2 3 "The Careto/Mask APT: Frequently Asked Questions". 10 February 2014.
  6. "Securelist". 10 February 2014. Retrieved 3 April 2015.
  7. "Unveiling 'The Mask': Sophisticated malware ran rampant for 7 years". Pcworld. Retrieved 2 April 2015.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.