The Mask (aka Careto) Malware Overview

Posted by Brian Cardinale in Malware | 0 comments

Kaspersky Labs has announced the discovery a very sophisticated malware campaign dubbed The Mask (aka Careto) that has been in operation since 2007. The operator of the malware is still unknown, but a nation-state sponsor is suspected. The Command and Control (C2) network was shutdown shortly after Kaspersky made its announcement, although it is speculated the operators could restart operations with minimal effort. The malware was discovered when one of its agents attempted to exploit a monitored Kaspersky Lab product.

Victims of “The Mask” Malware

Kaspersky Lab’s believe there were approximately 380 unique victims which communicated back to the Mask’s  Command and Control (C2) Servers from 1,000 different IP addresses. These victims were spread across 31 countries. The countries most affected were:

1. Morocco (384 Unique IPs)
2. Brazil (137 Unique IPs)
3. UK (109 Unique IPs)
4. France (53 Unique IPs)
5. Spain (51 Unique IPs)
6. Switzerland (33 Unique IPs)
7. Libya (26 Unique IPs)
8. United States (22 Unique IPs)
9. Iran (13 Unique IPs)
10. South Africa, Venezuela (4 Unique IPs)

Also on the list was: Algeria, Argentina, Belgium, Bolivia, China, Colombia, Costa Rica, Cuba, Egypt, Germany, Gibraltar, Guatemala, Iraq, Malaysia, Mexico, Norway, Pakistan, Poland, Spain, Switzerland, Tunisia, and Turkey.

Infection Vector used by “The Mask“

Victims of the Mask Malware were targeted using phishing emails that appeared to be from news sources, such as “The Guardian” and “Washington Post”. These emails contained links to what appeared to be legitimate news stories, however redirected to a series of domains that served very targeted exploits in an attempt to compromise the potential victim’s system. Upon successful exploitation, the victims were redirected back to normal benign content appearing as though nothing has happened.

The exploit binaries were placed in very specific subfolders on the web server, and were not referenced anywhere except to the pages linked by the malicious emails. This indicates that these were very targeted attacks against the individuals the emails were sent to.

“The Mask” Exploit Arsenal

The Mask malware leveraged a number of “zero day” vulnerabilities to infect its victims devices. A “zero day” vulnerability is a software weakness that is not known to the vendor and hence not patched. These vulnerabilities can be exploited freely until a patch is released, if ever. These zero day vulnerabilities have value on both the white and black markets. On the white market they are sold to companies that provide security products to actively protect against these flaws. These companies facilitate the communication to the vendor to create patches.

On the black market, these flaws can fetch heavy bounties! Especially flaws that affect software products with a large user base, such as Adobe Flash, which happens to be one of the products targeted by the Mask’s payload delivery system. Among other exploits, CVE-2012-0773 was one used by the Mask malware which affected various versions of the Adobe Flash Player and allowed arbitrary code execution on various platforms (including OSX and Linux).

This exploit was publicly announced by researchers at VUPEN, a French firm that specializes in selling exploits and vulnerability information to private customers. This bug was extremely valuable as it was capable of bypassing security controls in the Chrome browser that helps reduce the impact of arbitrary code execution. These controls are known as sandboxes which try to contain code execution and prevent injected code from affecting the hosting operating system.

VUPEN has announced that the exploit used by the Mask malware is not the same as the one developed by their firm, and which was also never released publicly. This would mean the exploit may have been found independently by the attackers or was reverse engineered from the patch released by Adobe, which is another common practice for highly valuable exploits.

The Payload of “The Mask” Malware

The goal of the Mask Malware was to intercept all communications of the victim and to acquire various pieces of sensitive data. The following is a list of file extensions targeted by the Mask Malware:

*.AKF,*.ASC,*.AXX,*.CFD,*.CFE,*.CRT,*.DOC,*.DOCX,*.EML,*.ENC,*.GMG,*.GPG,*.HSE,*.KEY,*.M15,*.M2F,*.M2O,*.M2R,*.MLS,*.OCFS,*.OCU,*.ODS,*.ODT,*.OVPN,*.P7C,*.P7M,*.P7Z,*.PAB,*.PDF,*.PGP,*.PKR,*.PPK,*.PSW,*.PXL,*.RDP,*.RTF,*.SDC,*.SDW,*.SKR,*.SSH,*.SXC,*.SXW,*.VSD,*.WAB,*.WPD,*.WPS,*.WRD,*.XLS,*.XLSX

Some of these file extension do not have publicly known associated applications. These are speculated to be file extensions used by classified applications. The other extensions are associated with encryption keys, VPN configurations, SSH keys, Remote Desktop Protocol (RDP) files, as well as Microsoft Office Documents.

The Mask leverages stealth rootkit functionality making it extremely difficult to detect. It is also a highly advanced piece of software supporting plugin modules to expand it’s capabilities.

Speculations about “The Mask” Malware

Operators

The Mask Malware is suspected to be backed by an unknown national government. There are number of factors that back this speculation. The sophisticated nature of the implementation and deployment of the Mask Malware demonstrates it is being perpetrated by highly skilled attackers. The specific targets of the Mask Malware are also akin to those sought after by government entities. The targets included government agencies, embassies, diplomatic offices and energy companies. The high value of the zero day vulnerabilities used in combination to the very focused targets are strong evidence that this malware had a nation-state sponsor.

The operators actions were also extremely professional, something only seen in the most advanced cyber criminal groups. There is evidence of the groups monitoring and protecting their infrastructure during operations. The group enforced strict access rules on their infrastructure servers to disrupt research into their activities as well.  The group promptly shutdown their operations upon discovery. Log files were also “zero-wiped“, as oppose to just deleted, to prevent forensic analysis of the their systems. All these activities demonstrate a high level of operational security (OPSEC) not present in most cyber-criminal organizations.

“The Mask” (ask Careto) Spanish Speaking Origins

The Mask has been associated to have originated from a Spanish speaking nation, however there is no definitive proof. The only clue is the binary’s nickname, “Careto”, which was a word extracted from reverse engineering of the binary. The translation has come under criticism due to its spelling, as well. This combined with the Mask’s other operational security (OPSEC) activities leads this to be potentially another level of obfuscation to protect authors’ true identities.

“The Mask” Mobile and Linux Variants

The Mask has been purported to have mobile and Linux variants, however no samples have been collected yet. This speculation may stem from the Adobe exploit (CVE-2012-0773) being capable of exploiting the Android 2.x and 3.x as well as linux. Also, at least one detected victim IP connection originated from an 3G mobile network. This could be simply be a laptop tethering to a mobile device and not an actual compromised device.

Conclusion

The Mask is definitely a piece of malware that has earned its place in the history books. It has been in operation since 2007 and only shut down its operations upon detection of its discovery in January 2014. Its extremely powerful arsenal coupled with its extremely specific targets and strong operational security activities screams a nation-state sponsored activity. Only time will tell if we are right, maybe.

References:

• Unveiling “Careto” – The Masked APT
• Kaspersky: The Mask – Unveiling the World’s Most Sophisticated APT Campaign
• Infographic: The Mask malware victims
• NEW ‘MASK’ APT CAMPAIGN CALLED MOST SOPHISTICATED YET
• Washington Post, Guardian links used to infect The Mask malware victims