A Sophisticated cyber spying operation, ‘The Mask’, that has been under the mask for about 7 years targeting approximately 31 countries, has now been ‘unmasked’ by researchers at Kaspersky Labs.
The Researchers believe that the program has been operational since 2007 and is seems to be sophisticated nation-state spying tool that targeted government agencies and diplomatic offices and embassies before it was disclosed last month.
In the unveiling document published by Kaspersky, they found more than 380 unique victims, including Government institutions, diplomatic offices/embassies, private companies, research institutions, activists etc.
The name "Mask" comes from the Spanish slang word "Careto" ("Ugly Face" or “Mask”) which the authors included in some of the malware modules.
Developers of the ‘Mask’ aka ‘Careto’ used complex tool-set which includes highly developed malware, bootkit, rootkit etc. that has the ability to sniff encryption keys, VPN configuration, SSH keys and RDP file via intercept network traffic, keystrokes, Skype conversation, PGP keys, WI-Fi traffic, screen capturing, monitoring all file operations, that makes it unique and dangerous and more sophisticated than DUQU malware.
The malware targets files having an extension:
*.AKF, *.ASC, *.AXX, *.CFD, *.CFE, *.CRT, *.DOC, *.DOCX, *.EML, *.ENC, *.GMG, *.GPG, *.HSE, *.KEY, *.M15, *.M2F, *.M2O, *.M2R, *.MLS, *.OCFS, *.OCU, *.ODS, *.ODT, *.OVPN, *.P7C, *.P7M, *.P7Z, *.PAB, *.PDF, *.PGP, *.PKR, *.PPK, *.PSW, *.PXL, *.RDP, *.RTF, *.SDC, *.SDW, *.SKR, *.SSH, *.SXC, *.SXW, *.VSD, *.WAB, *.WPD, *.WPS, *.WRD, *.XLS, *.XLSX.
Victims of this malware found in: Algeria, Argentina, Belgium, Bolivia, Brazil, China, Colombia, Costa Rica, Cuba, Egypt, France, Germany, Gibraltar, Guatemala, Iran, Iraq, Libya, Malaysia, Mexico, Morocco, Norway, Pakistan, Poland, South Africa, Spain, Switzerland, Tunisia, Turkey, United Kingdom, United States and Venezuela.
The malware remains untraceable for about 7 years and was able to infect Mac OS X version, Linux, Windows, iPad/iPhone and android running devices.
According to the researchers, the Mask Malware was designed to infect the 32- and 64-bit Windows versions, Mac OS X and Linux versions, but researchers believe that possibly there may be more versions for Android and iPhones (Apple iOS) platforms.
In its main binary a CAB file having shlink32 and shlink64 dll files are found during the research from which the malware extract one of them, depending upon the architecture of the victim’s machine and install it as objframe.dll.
It includes the most sophisticated backdoor SGH, which is designed to perform a large surveillance function and except this it has DINNER module which gets executed via APC remote calls and reload ‘chef’ module responsible for network connectivity and ‘waiter’ modules responsible for all logical operations.
Another backdoor called SBD (Shadowinteger's Backdoor) which uses open source tools like netcat is included in the malware. To infect Linux versions, Mozilla Firefox plugin “af_l_addon.xpi” was used and was hosted on “linkconf[dot]net”
Spear phishing, a favorite attack used by most cyber attackers like SEA, was used to distribute this malware. Users were lured to click some malicious websites that contain a number of exploits to compromise their systems.
Kaspersky research found linkconf.net, redirserver.net and swupdt.com as hosting exploits. These websites don’t infect the visitor, instead attacker hosts the exploit in a folder which cannot be navigated using the web, but they direct the link to that exploit in the phishing email.
To mask the attack into real, attackers use a fake SSL certificate of some unknown company TecSystem Ltd valid since 2010 and sometimes they also use subdomains to mask the attack appear more real; in which they simulate newspaper subsections that may include SPAIN’s main Newspaper, The Washington Post and The Register etc.
Kaspersky had performed this research with more interest due to the reason that the malware has tried to exploit the vulnerability in its product i.e. Workstation products prior version 6.0.4.*, and KAV/KIS 8.0 versions.
“In case of the Careto implant, the C&C communication channel is protected by two layers of encryption. The data received from the C&C server is encrypted using a temporary AES key, which is also passed with the data and is encrypted with an RSA key. The same RSA key is used to encrypt the data that is sent back to the C&C server. This double encryption is uncommon and shows the high level of protection implemented by the authors of the campaign.” they said.
During the research and investigation of this malware, CC servers were found down, which shows that attacker group was monitoring all aspects related to the malware activity. Since there are no identified patterns in these attacks and who is behind these activities is yet a matter of investigation for the researchers out there.
Author : Shivam Kotwalia, CodeKill
