If you don’t know about the newly discovered nation-state espionage malware “The Mask” yet, you will, as some security experts expect it’s the mother model of future cyber weapons for advanced persistent threat (APT) campaigns.
So what makes The Mask so slick and sick? For one thing, the advanced cyber-espionage malware campaign has been used in attacks since at least 2007 and yet managed to go undetected for all these years. For another, it’s the complexity of the attackers’ toolset. Yet another is the fact that the data sent both to and from the command-and-control (C&C) server was encrypted with an RSA key. Kaspersky Lab researchers [pdf] said, “This double encryption is uncommon and shows the high level of protection implemented by the authors of the campaign.” And about those authors . . .
When you think about “one of the most advanced” nation-state cyber-espionage threats, what country jumps to mind? Ah, not so fast; it seems as if it’s not China, not Russia, not the U.S. , Israel, or North Korea this time. Based upon some Spanish words in the code, Kaspersky Lab said The Mask’s authors “appear to be speaking the Spanish language.” But if you’ve placed a call to any U.S. corporation and needed to then “press 1” for English, it’s clear that Spanish is fairly common in numerous countries. By using the Spanish slang word “Careto,” which means “ugly face” or “mask” in some of the malware modules, wouldn’t that be a pretty slick trick to deflect blame onto another country? Yet security expert Bruce Schneier advised, “Spain, if it is you, attack a few sites in the Falklands next time — and use a separate tool for Morocco.”
The attackers’ exceptionally complex toolset included “an extremely sophisticated malware, a rootkit, a bootkit, 32-and 64-bit Windows versions.” If you don’t use Microsoft Windows and therefore think you’re safe from The Mask, then think again; Kaspersky Lab [pdf] also found versions of the malware for Linux, Mac OS X and “possibly versions” for backdoors in “Android and iPad/iPhone (Apple iOS).” And oh joy, oh bliss, Kaspersky researchers believe that “expanding their toolkits to include Linux and Mac ‘support,’ indicates an important trend in the world of APTs.”
But if you are just a “regular” person, then you likely wouldn’t be targeted by The Mask’s attackers who are believed to be sponsored by a nation-state. Although Kaspersky identified “380 unique victims in 31 countries,” the main targets have been government institutions, diplomatic offices and embassies, energy, oil and gas companies, research institutions, private equity firms and activists.
Sign up for Computerworld eNewsletters.