The Mask: nova super "APT"

Washington Post, Guardian links used to infect The Mask malware victims

Kaspersky Lab security research team just released details about "The Mask" (aka Careto) cyber-espionage malware, calling it "one of the most advanced threats at the moment" at the 2014 Kaspersky Security Analyst Summit.

Researchers told attendees The Mask is an extremely sophisticated nation-state spying tool and believe it to have been in operation since 2007.

IOC information has been included in Kaspersky's detailed technical research paper.

Like Flame, another Kaspersky discovery, Careto is a uniquely powerful and refined cyber-espionage operation comprised of modular tools.

The malware's primary targets are government institutions, diplomatic offices and embassies, energy, oil and gas companies, research institutions, private equity firms and high-profile activists.

Its victims are exploited by phishing emails linking to tainted subdomains simulating subsections of the Washington Post, Guardian, and YouTube, among others.

The Mask collects a large list of documents from the infected system, including encryption keys, VPN configurations, SSH keys and RDP files.

There are also several unknown extensions being monitored that Kaspersky has not been able to identify and said "could be related to custom military/government-level encryption tools."

In their explosive presentation "A Glimpse Behind The Mask" Kaspersky Lab's Russian researchers Costin Raiu, Vitaly Kamluk and Igor Soumenkov explained that the complexity and universality of the toolset used by the attackers behind "The Mask" earns the malware a place in history.
notícia completa