However, if you were a target, then The Mask attackers could pwn you six-ways from Sunday and back again. "Basically, everything secured and confidential easily becomes available and in a plain text," explained Kaspersky Lab's Dmitry Bestuzhen. “For the victims, an infection with Careto can be disastrous,” stated the Kaspersky announcement. “Careto intercepts all communication channels and collects the most vital information from the victim’s machine. Detection is extremely difficult because of stealth rootkit capabilities, built-in functionalities and additional cyber-espionage modules.”
The researchers wrote in their report [pdf]:
When active in a victim system, The Mask can intercept network traffic, keystrokes, Skype conversations, PGP keys, analyze Wi-Fi traffic, fetch all information from Nokia devices, screen captures and monitor all file operations.
The malware collects a large list of documents from the infected system, including encryption keys, VPN configurations, SSH keys and RDP [remote desktop protocol] files. There are also several extensions being monitored that we have not been able to identify and could be related to custom military/government-level encryption tools.
Last month, as Kaspersky was preparing to publish its report, the suspected nation-state attacks went dark as the APT actors shut down all operations. Based on the “very high degree of professionalism” in the attackers’ operational procedures, such as “monitoring of their infrastructure, shutdown of the operation, avoiding curious eyes through access rules, using wiping instead of deletion for log files and so on,” Kaspersky called the APT group behind The Mask “elite.”
The attack relied on social engineering, according to Kaspersky’s analysis, and depended upon highly targeted spear-phishing emails linked to malicious websites. Phishing bait for The Mask was sometimes email linking to imitated news sites “like The Guardian and Washington Post,” newspapers in Spain, or even YouTube. Kaspersky researchers noted that “the exploit websites do not automatically infect visitors; instead, the attackers host the exploits at specific folders on the website, which are not directly referenced anywhere, except in malicious e-mails.” After the attackers’ malicious site successfully infected a victim, it would then redirect the victim to the benign site referenced in the email.
The attack is designed to handle all possible cases and potential victim types. Depending on the operating system, browser and installed plugins, the user is redirected to different subdirectories, which contain specific exploits for the user’s configuration that are most likely to work.
The researchers found exploits for Java, Adobe Flash and malicious plugins for Chrome and Firefox, on Windows, Linux and OS X. Regarding the Flash exploit (CVE-2012-0773), which was “originally discovered by French company VUPEN and used to win the Pwn2Own contest in 2012,” Kaspersky wrote that VUPEN “sold” it “to governments as a 0-day.” The Flash exploit coming from VUPEN is something the "leading provider of government-grade zero-day exploits" has vehemently denied in public.
Sign up for Computerworld eNewsletters.