The Mask – the most sophisticated APT operation seen to date

Pierluigi Paganini February 11, 2014

Speaking at Kaspersky Lab’s Industry Analyst Summit,Costin Raiu revealed details on The Mask campaign, the most sophisticated operation they’ve seen to date.

The Kaspersky team recently announced to have detected a new significant APT campaign dubbed The Mask or “Careto” (Spanish for “Ugly Face” or “Mask”), a group of high-level state-sponsored hackers have been targeting government agencies, diplomatic offices, embassies, diplomatic offices and energy companies. The experts believe that the new cyber espionage campaign lasts for more than 5 years and it is the most sophisticated APT operation they’ve seen to date.

The Mask campaign is characterized by the use of unique components used by attackers to syphon sensitive information on victims’ machines, including encryption and SSH keys, and to wipe and delete any other data on the victim. The attackers behind The Mask are Spanish-speaking and targeted more than 30 countries around the world, the hackers also exploited at least a zero-day in their campaign, and of course they were able to distribute the Mask malware on every OS including Mac OS X, Linux, and perhaps even iOS and Android.

“These guys are better than the Flame APT group because of the way that they managed their infrastructure,”“The speed and professionalism is beyond that of Flame or anything else that we’ve seen so far.” said Costin Raiu, head of global research and analysis at Kaspersky during the Kaspersky Security Analyst Summit. 

The investigation on The Mask started after the Kaspersky team saw the group of hackers exploiting a vulnerability in one of the company’s products to compromised machines using an old version of its application. 

The Mask sample timeline

The Mask Group had a number of different tools at their disposal, including implants that enabled them to maintain persistence on victims’ machines, intercept all TCP and UDP communications in real-time and remain invisible on the compromised machine. The initial stage of the attack occurs with spear-phishing emails that would lead victims to a compromised Web site used to serve one of the available exploits.

Interesting to note that one of the exploit was based on the Adobe Flash vulnerability CVE-2012-0773 whose exploitation allows an attacker to bypass the sandbox in the Chrome browser. The Adobe Flash exploited was discovered by researchers at VUPEN, a French firm specialized in the sale of exploits and zero-day information.

The choice of this king of flaw, that was never leaked publicly, is motivated by the need of attackers to include in the Mask campaign different OSs, including OS X and Linux machines, as well as some mobile platforms.

“Kaspersky researchers found Windows and OS X samples and some indications of a Linux versions, but don’t have a Linux sample. There also is some evidence that there may be versions for both iOS and Android.”

Kaspersky researchers have successfully sinkholed about 90 of the C&C domains the attackers were using, Raiu confirmed all of the communications between victims and the C&C servers were encrypted.

The Mask sinkholed requests

The operation was shut down last week within a few hours, the Mask operators once discovered have rolled up the campaign within about four hours, but security experts are quite sure that attackers could resurrect the APT campaign soon.

“They could come back very quickly if they wanted,” Raiu said.

The details on the operation are available on an interesting document published on SecureList

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  The Mask APT campaign, cyber espionage)

[adrotate banner=”12″]

you might also like

leave a comment