New Malware - "CARETO" or "TheMasK" malware infects OS X, Android, iOS, Linux, Windows

Senior Advisor

New Malware - "CARETO" or "TheMasK" malware infects OS X, Android, iOS, Linux, Windows

Hi,

 

Please take note of the new malware which was reported by Kaspersky, Intego etc.

 

That this new malware infects Android, iOS, Mac OS X, Linux and Windows.

 

Details can be found here.

 

http://www.kaspersky.com/about/news/virus/2014/Kaspersky-Lab-Uncovers-The-Mask-One-of-the-Most-Advan...

 

Kaspersky Lab Uncovers “The Mask”: One of the Most Advanced Global Cyber-espionage Operations to Date Due to the Complexity of the Toolset Used by the Attackers

11 Feb 2014
Virus News

New threat actor: Spanish-speaking attackers targeting government institutions, energy, oil & gas companies and other high-profile victims via cross-platform malware toolkit

Today Kaspersky Lab’s security research team announced the discovery of “The Mask” (aka Careto), an advanced Spanish-language speaking threat actor that has been involved in global cyber-espionage operations since at least 2007. What makes The Mask special is the complexity of the toolset used by the attackers. This includes an extremely sophisticated malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iOS (iPad/iPhone).

The primary targets are government institutions, diplomatic offices and embassies, energy, oil and gas companies, research organizations and activists. Victims of this targeted attack have been found in 31 countries around the world – from the Middle East and Europe to Africa and the Americas.

The main objective of the attackers is to gather sensitive data from the infected systems. These include office documents, but also various encryption keys, VPN configurations, SSH keys (serving as a means of identifying a user to an SSH server) and RDP files (used by the Remote Desktop Client to automatically open a connection to the reserved computer).

“Several reasons make us believe this could be a nation-state sponsored campaign. First of all, we observed a very high degree of professionalism in the operational procedures of the group behind this attack. From infrastructure management, shutdown of the operation, avoiding curious eyes through access rules and using wiping instead of deletion of log files. These combine to put this APT ahead of Duqu in terms of sophistication, making it one of the most advanced threats at the moment,” said Costin Raiu, Director of the Global Research and Analysis Team (GReAT) at Kaspersky Lab.
“This level of operational security is not normal for cyber-criminal groups.”

Kaspersky Lab researchers initially became aware of Careto last year when they observed attempts to exploit a vulnerability in the company’s products which was fixed five years ago. The exploit provided the malware the capability to avoid detection. Of course, this situation raised their interest and this is how the investigation started.

For the victims, an infection with Careto can be disastrous. Careto intercepts all communication channels and collects the most vital information from the victim’s machine. Detection is extremely difficult because of stealth rootkit capabilities, built-in functionalities and additional cyber-espionage modules.

Main findings:

    The authors appear to be native in the Spanish language which has been observed very rarely in APT attacks.
    The campaign was active for at least five years until January 2014 (some Careto samples were compiled in 2007). During the course of Kaspersky Lab’s investigations, the command-and-control (C&C) servers were shut down.
    We counted over 380 unique victims between 1000+ IPs. Infections have been observed in: Algeria, Argentina, Belgium, Bolivia, Brazil, China, Colombia, Costa Rica, Cuba, Egypt, France, Germany, Gibraltar, Guatemala, Iran, Iraq, Libya, Malaysia, Mexico, Morocco, Norway, Pakistan, Poland, South Africa, Spain, Switzerland, Tunisia, Turkey, United Kingdom, United States and Venezuela.
    The complexity and universality of the toolset used by the attackers makes this cyber-espionage operation very special. This includes leveraging high-end exploits, an extremely sophisticated piece of malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone (iOS). The Mask also used a customized attack against Kaspersky Lab’s products.
    Among the attack’s vectors, at least one Adobe Flash Player exploit (CVE-2012-0773) was used. It was designed for Flash Player versions prior to 10.3 and 11.2. This exploit was originally discovered by VUPEN and was used in 2012 to escape the Google Chrome sandbox to win the CanSecWest Pwn2Own contest.

Infection Methods & Functionality

According to Kaspersky Lab’s analysis report, The Mask campaign relies on spear-phishing e-mails with links to a malicious website. The malicious website contains a number of exploits designed to infect the visitor, depending on system configuration. Upon successful infection, the malicious website redirects the user to the benign website referenced in the e-mail, which can be a YouTube movie or a news portal.

It's important to note the exploit websites do not automatically infect visitors; instead, the attackers host the exploits at specific folders on the website, which are not directly referenced anywhere, except in malicious e-mails. Sometimes, the attackers use subdomains on the exploit websites, to make them seem more real. These subdomains simulate subsections of the main newspapers in Spain plus some international ones for instance, "The Guardian" and "Washington Post".

The malware intercepts all the communication channels and collects the most vital information from the infected system. Detection is extremely difficult because of stealth rootkit capabilities. Careto is a highly modular system; it supports plugins and configuration files, which allow it to perform a large number of functions. In addition to built-in functionalities, the operators of Careto could upload additional modules that could perform any malicious task.

Kaspersky Lab’s products detect and remove all known versions of The Mask/Careto malware.

To read the full report with a detailed description of the malicious tools and stats, together with indicators of compromise, see Securelist. A complete FAQ is also available here.

5 REPLIES 5
Senior Advisor

Re: New Malware - "CARETO" or "TheMasK" malware infects OS X, Android, iOS, Linu

see other details here.

 

http://community.sophos.com/t5/Threat-awareness/New-Threat-The-Mask-Careto/td-p/47229

 

I know intego also reported these.

 

 

Senior Advisor

Re: New Malware - "CARETO" or "TheMasK" malware infects OS X, Android, iOS, Linu

Since "the primary targets are government institutions, diplomatic offices and embassies, energy, oil and gas companies, research organizations and activists"  Home users of F-Secure should be able to sleep safely at night!  

 

Further, luckily, the malware is initiated by a simple phishing attempt, so the best way to avoid it is simply dont click on links of unknown origin.

 

This reinforces the fact that a safety-conscious web surfer isn't likely to run into malware if they follow best practices for online activity. Moreover, together with running a reputable AV such as F-Secure in a layered defense together with a reliable backup system should be sufficient for most users to stay malware-free.  

 

So until Rusli finds the next malware scare Smiley Tongue

Senior Advisor

Re: New Malware - "CARETO" or "TheMasK" malware infects OS X, Android, iOS, Linu

LoL!

 

The next Malware scare???

 

The reports are base on facts.

 

Don't get confuse here.

 

To all, take note of the issues.

 

This have been reported by Kaspersky and Intego Antivirus Companies.

Senior Advisor

Re: New Malware - "CARETO" or "TheMasK" malware infects OS X, Android, iOS, Linu

Hey Blackcat,

 

 

 

if Stuxnet virus is real.

 

If this detected viruses from Kaspersky and Intego being reported.

 

If it can infect Mac OS X computers.

 

Don't ever think that Mac OS X is secure or superior in that sort.

 

They conducted a hack competition in Canada. And Apple was hacked in 2 minutes!

 

In fact, under hood apple is running 30% of freebsd code. The rest is from Apple and they are using their own.

 

Apple file system directories is like Windows.

 

Even you download the apps from Apple Apps Store cannot gurantee that that the apps is free from viruses.

 

Remember the Flashback virus on Mac OS X?

 

 

 

How are you going to know, that the picture that you click contains viruses???

 

Not unless the antivirus pick up the malicious code.

 

Sometime I don't understand why they say apple cannot get viruses?

 

I give example like Java?

 

As you would already know, there are Java script viruses.

 

What make they think that Mac are not infected?

 

Java as you would already know are crossplatform.

 

It can infect Windows, Linux and Macs!

 

 

Awareness in prevention.

 

 

I'm not scaring anybody. Smiley Very Happy If being reported, it's the fact.

 

I believe that Kaspersky has already got the malware sample and analysing the codes.

 

 

 

Cnet Download also infecting Mac with spywares!

 

See Thomas Reeds Blogs http://www.thesafemac.com/

 

I remember Brian Krebs, did report in his blog about Cnet Spywares.

 

http://krebsonsecurity.com/2011/12/download-com-bundling-toolbars-trojans/

 

 

See F-Secure Mac Malware video from Youtube. With Mikko Hypponen and Sean Sullivan.

 

http://www.youtube.com/watch?v=oxfdFeEoxuk

 

 

F-Secure Demo on Mac Malware detections.

 

http://www.youtube.com/watch?v=fBdc0jwLy6k

 

http://www.youtube.com/watch?v=XrGuVTzYEsw

 

 

 

See this video on Apple Viruses - fact finding.

 

http://www.youtube.com/watch?v=Mn5yBU_vuCQ

 

http://www.youtube.com/watch?v=J4s_RhsV0XU

 

 

 

Senior Advisor

Re: New Malware - "CARETO" or "TheMasK" reported by Intego

Here is  the link below for more details and excerpts.

 

 

http://www.intego.com/mac-security-blog/careto-malware-unmasked/

 

Careto Malware Unmasked

Posted on February 14th, 2014 by Derek Erwin

News of the new Careto malware has been making the rounds this week after over 1,000 victims in 31 countries were reportedly infected, whether on Mac, Windows or Linux computers. While currently inactive, following discovery by malware researchers, the malware’s attacks could restart at any time, says Gizmodo.

Intego’s Mac anti-virus software, VirusBarrier, with up-to-date malware definitions offer protection against Careto and all other known Mac malware.

Relying on phishing emails to infect computers, the Careto malware is able to log network traffic, record keystrokes, spy on Skype conversations and specifically searches for encryption keys, SSH keys or VPN settings to report back to its command and control servers.

Observed attacks were using multiple vectors, according to security researchers. These include at least one Adobe Flash Player exploit (CVE-2012-0773), social engineering, coercing users to download and execute a JavaUpdate.jar file or to install a Chrome browser plugin. Other exploits may exist as well.

It is not yet known who is responsible for Careto. Its high level of operational security and complexity has led researchers to believe that Careto might be state-sponsored. Intego will provide updates as soon as more information becomes available.

Stay safe from Careto with Mac Internet Security

Intego is offering you Mac Internet Security 2013 for a special discount of 50% off the regular price. That means you can protect your Mac for as little as $24.99.

Get 50% off using coupon code CARETO50 today! Simply replace the current coupon at checkout with CARETO50 to get this discount. Coupon only applies to new purchases of Mac Internet Security 2013. Offer ends March 1, 2014.

photo credit: titoalfredo via “photopin”cc
This entry was posted in Security News and tagged Careto, CVE-2012-0773, Linux, Mac, malware, OS X, Windows. Bookmark the permalink.