Sophisticated Spy Tool ‘The Mask’ Rages Undetected for 7 Years
BY KIM ZETTER
PUNTA CANA, Dominican Republic – Researchers have uncovered a sophisticated cyber spying operation that has been alive since at least 2007 and uses techniques and code that surpass any nation-state spyware previously spotted in the wild.
The attack, dubbed “The Mask” by the researchers at Kaspersky Lab in Russia who discovered it, targeted government agencies and diplomatic offices and embassies, before it was dismantled last month. It also targeted companies in the oil, gas and energy industries as well as research organizations and activists. Kaspersky uncovered at least 380 victims in more than two dozen countries, with the majority of the targets in Morocco and Brazil.
The attack — possibly from a Spanish-speaking country — used sophisticated malware, rootkit methods and a bootkit to hide and maintain persistence on infected machines. The attackers sought not only to steal documents, but to steal encryption keys, data about a target’s VPN configurations, and Adobe signing keys, which would give the attackers the ability to sign .PDF documents as if they were the owner of the key.
The Mask also went after files with extensions that Kaspersky has not been able to identify yet. The Kaspersky researchers believe the extensions may be used by custom government programs, possibly for encryption.
“They are absolutely an elite APT [Advanced Persistent Threat] group; they are one of the best that I have seen,” Costin Raiu, director of Kaspersky’s Global Research and Analysis Team said at a conference here today. “Previously in my opinion the best APT group was the one behind Flame . . . these guys are better.”
APT refers to malicious operations – primarily nation-state attacks — that use sophisticated methods to maintain a persistent foothold on machines. Flame, considered one of the most advanced APTs until now, was a massive spy tool discovered by Kaspersky in 2012 that was created by the same team behind Stuxnet, a digital weapon that was used to physically damage centrifuges in Iran that were enriching uranium for that country’s nuclear program.
Stuxnet was reportedly created by the U.S. and Israel. There are no signs that Mask was created by the same group. Kaspersky instead found evidence that the attackers may be native Spanish speakers. The attack uses three backdoors, one of which the attackers named Careto, which means Mask in Spanish. Raiu said it’s the first APT malware they’ve seen with Spanish language snippets; usually, it’s Chinese.
Kaspersky believes the espionage operation belongs to a nation state because of its sophistication and because of an exploit the attackers used that the Kaspersky researchers believe may have been sold to the attackers by Vupen, a company in France that sells zero-day exploits to law enforcement and intelligence agencies.
Vupen today said the exploit was not theirs.
Vupen sparked controversy in 2012 when they used the same vulnerability — then a zero-day — to win the Pwn2Own contest at the CanSecWest conference in Vancouver. The exploit Vupen designed allowed them to bypass the security sandbox in Google’s Chrome browser.
Vupen co-founder Chaouki Bekrar refused at the time to provide details about the vulnerability to Google, saying he would be withholding the information to sell to his customers.
A Google engineer offered Bekrar $60,000 on top of the $60,000 he had already won for the Pwn2Own contest if he would hand over the sandbox exploit and the details so Google could fix the vulnerability. Bekrar declined and joked that he might consider the offer if Google bumped it up to $1 million, but he later told WIRED he wouldn’t hand it over for even $1 million.
The exploit, it turns out, actually targeted the Adobe Flash Player, and was patched by Adobe that same year. Raiu says they don’t know for certain that the Mask attackers used the Vupen exploit to attack the Flash vulnerability, but the code is “really really sophisticated” and it’s highly unlikely that the attackers would have created their own separate exploit, he says.
But Bekrar took to Twitter today to shoot down that theory. The exploit used in Mask is not the one developed by Vupen, he wrote. Rather, the authors of the Mask exploit likley devloped their own attack by examining the Adobe patch. “Our official statement about #Mask: the exploit is not ours, probably it was found by diffing the patch released by Adobe after #Pwn2Own”.
The Mask attackers designed at least two versions of their malware – for Windows and Linux-based machines – but the researchers believe there may also be mobile versions of the attack for Android and iPhone/iPad devices, based on some evidence they uncovered.
They targeted victims through spear-phishing campaigns that included links to web pages where the malware loaded to their machines. In some cases, the attackers used familiar-seeming subdomains for their malicious URLs to trick victims into thinking they were visiting legitimate sites for the top newspapers in Spain or for the Guardian and Washington Post. Once the user was infected, the malicious web site redirected users to the legitimate site they sought.
The careto module, which siphoned data from machines, used two layers of encryption — both RSA and AES — for its communication with the attackers’ command-and-control servers, preventing anyone who got physical access to the servers from reading the communication.
Kaspersky discovered the operation last year when the attackers attempted to exploit a five-year-old vulnerability in a previous generation of Kaspersky’s security software that had long-ago been patched. Kaspersky detected attempts to exploit four of its customers using the vulnerability.