Skip to content ↓ | Skip to navigation ↓

Kaspersky Labs has released a report detailing a cyber espionage operation that employed a highly sophisticated multi-platform malware that compromised the systems of hundreds of government and private organizations in more than two dozen countries.

The espionage campaign, referred to as “The Mask” by the researchers – which is the English translation of “Careto,” the name of the attackers primary backdoor code. The malware used complicated rootkit methods as well as a bootkit functionality to obscure and maintain persistence on the infected systems.

“When active in a victim system, The Mask can intercept network traffic, keystrokes, Skype conversations, PGP keys, analyze WiFi traffic, fetch all information from Nokia devices, screen captures and monitor all file operations,” the researchers.

“The malware collects a large list of documents from the infected system, including encryption keys, VPN configurations, SSH keys and RDP [remote desktop protocol] files. There are also several extensions being monitored that we have not been able to identify and could be related to custom military/government-level encryption tools.”

The researchers believe that The Mask targeted sensitive documents, encryption keys, VPN configurations, and also went after data with unidentified file extensions which may be associated with customized programs, possibly for encryption purposes.

The sophistication of the malware leads to the researchers to believe the operation may be state-supported.

“They are absolutely an elite APT [Advanced Persistent Threat] group; they are one of the best that I have seen,” said Kaspersky’s Costin Raiu. “Previously in my opinion the best APT group was the one behind Flame… these guys are better.”

Read More Here…