Careto (malware)

Careto (Spanish for mask), sometimes called The Mask, is a piece of espionage malware discovered by Kaspersky Lab in 2014. Because of its high level of sophistication and professionalism, and a target list that included diplomatic offices and embassies, Careto is believed to be the work of a nation state.^[1] Kaspersky believes that the creators of the malware were Spanish-speaking.^[1]

Because of the focus on Spanish-speaking victims, the heavy targeting of Morocco, and the targeting of Gibraltar, Bruce Schneier speculates that Careto is operated by Spain.^[2]

Payload

Careto normally installs a second and more complex backdoor program called SGH. SGH is easily modifiable and also has a wider arsenal including the ability to intercept system events, file operations, and performing a wider range of surveillance features.^[3] The information gathered by SGH and Careto can include encryption keys, virtual private network configurations, and SSH keys and other communication channels.^[4]

Detection and removal

Careto is hard to discover and remove because of its use of stealth capabilities. In addition, most of the samples have been digitally signed. The signatures are issued from a Bulgarian company,TecSystem Ltd., but the authenticity of the company is unknown. One of the issued certificates was valid between June 28, 2011 and June 28, 2013. Another was valid from April 18, 2013 to July 18, 2016, but was revoked by Verisign.^[5]

Careto was discovered when it made attempts to circumvent Kaspersky security products.^[6] Upon discovery of Careto trying to exploit their software, Kaspersky started to investigate further. As part of collecting statistics, multiple sinkholes were placed on the command and control servers.^[5]

Currently most up-to-date anti virus software can discover and successfully remove the malware.

Distribution

On investigation of the command and control servers, discoveries showed that more than 380 victims were infected. From the information that has been uncovered, the victims were infected with the malware by clicking on a spear phishing link which redirected to websites that had software that Careto could exploit, such as Adobe Flash Player. The player has since been patched and is no longer exploitable by Careto. The websites that contained the exploitable software had names similar to popular newspapers, such as The Washington Post and The Independent. ^[7]

The malware is said to have multiple backdoors to Linux, Mac OS X, and Windows. Evidence of a possible fourth type of backdoor to Android and IOS was discovered on the C&C servers, but no samples were found. ^[3]

It is estimated that Careto has been compiled as far back as 2007. It is now known that the attacks ceased in January 2014.^[5]

References

↑ ^1.0 ^1.1 Kaspersky Lab Uncovers “The Mask”: One of the Most Advanced Global Cyber-espionage Operations to Date Due to the Complexity of the Toolset Used by the Attackers, 11 February 2014
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ ^3.0 ^3.1 Lua error in package.lua at line 80: module 'strict' not found.
↑ http://www.kaspersky.com/about/news/virus/2014/Kaspersky-Lab-Uncovers-The-Mask-One-of-the-Most-Advanced-Global-Cyber-espionage-Operations-to-Date-Due-to-the-Complexity-of-the-Toolset-Used-by-the-Attackers
↑ ^5.0 ^5.1 ^5.2 http://securelist.com/blog/research/58254/the-caretomask-apt-frequently-asked-questions/
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.

[kas-1] 1.0 ^1.1 Kaspersky Lab Uncovers “The Mask”: One of the Most Advanced Global Cyber-espionage Operations to Date Due to the Complexity of the Toolset Used by the Attackers, 11 February 2014

[2] Lua error in package.lua at line 80: module 'strict' not found.

[lucianconstantin-3] 3.0 ^3.1 Lua error in package.lua at line 80: module 'strict' not found.

[4] ttp://www.kaspersky.com/about/news/virus/2014/Kaspersky-Lab-Uncovers-The-Mask-One-of-the-Most-Advanced-Global-Cyber-espionage-Operations-to-Date-Due-to-the-Complexity-of-the-Toolset-Used-by-the-Attackers

[securelist.com-5] 5.0 ^5.1 ^5.2 http://securelist.com/blog/research/58254/the-caretomask-apt-frequently-asked-questions/

[6] Lua error in package.lua at line 80: module 'strict' not found.

[7] Lua error in package.lua at line 80: module 'strict' not found.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

v t e Hacking in the 2010s
Major incidents	Operation Aurora (2010) Australian cyberattacks (2010) Operation Payback (2010) HBGary Federal (2011) DigiNotar (2011) Operation Tunisia (2011) 2011 PlayStation Network outage (2011) Operation AntiSec (2011) Stratfor email leak (2012–13) LinkedIn hack (2012) South Korea cyberattack (2013) Snapchat hack (2013) Operation Tovar (2014) iCloud leaks of celebrity photos (2014) Sony Pictures Entertainment hack (2014) Office of Personnel Management data breach (2015) Hacking Team (2015) Ashley Madison data breach (2015) VTech data breach (2015) Bangladesh Bank heist (2016) Commission on Elections data breach (2016)
Groups	Anonymous associated events CyberBerkut Bureau 121 Derp GNAA Goatse Security Hacking Team Iranian Cyber Army Lizard Squad LulzRaft LulzSec NullCrew PayPal 14 PLA Unit 61398 RedHack Syrian Electronic Army TeaMp0isoN Tailored Access Operations UGNazi Yemen Cyber Army
Individuals	George Hotz Guccifer Hector Monsegur Jeremy Hammond Junaid Hussain Kristoffer von Hassel Mustafa Al-Bassam Ryan Ackroyd Topiary The Jester weev
Vulnerabilities discovered	Heartbleed (2014) Shellshock (2014) POODLE (2014) JASBUG (2015) Stagefright (2015) DROWN (2016) Badlock (2016)
Malware	Careto / The Mask CryptoLocker Dexter Duqu FinFisher Flame Gameover ZeuS Mahdi Metulji botnet NSA ANT catalog R2D2 (trojan) Shamoon Stars virus Stuxnet

Careto (malware)

Contents

Payload

Detection and removal

Distribution

References

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools