‘The Mask’ malware campaign, undetected by anti-virus firms since 2007?

Graham Cluley
Graham Cluley
@[email protected]

The MaskThe technology press is full of stories this week about some malware called “The Mask”.

The company which kicked off the reports is Russian security firm Kaspersky, which used the backdrop of a company meeting in the luxurious beach resort of Punta Cana in the Dominican Republic to announce its discovery to the world’s press.

Delegates heard that Kaspersky had dubbed the malware the media-friendly name of “The Mask” after discovering a string deep inside some of the malicious software’s modules.

Careto code

Sign up to our free newsletter.
Security news, advice, and tips.

Careto, the company helpfully explained, is a Spanish slang word meaning “Mask” or “Ugly face”.

Despite the hoopla, “The Mask” isn’t terribly sophisticated in how it infects its victims.

The Mask campaign we discovered relies on spear-phishing e-mails with links to a
malicious website. The malicious website contains a number of exploits designed to
infect the visitor. Upon successful infection, the malicious website redirects the user
to a benign website, which can be a Youtube movie or a news portal.

In short, be wary of clicking on unsolicited links sent to you via email – you might be sent to a boobytrapped website that attempts to infect your computer.

There are more eyebrow-raising elements of the malware, however. For instance, “The Mask” incorporates a rootkit, a bootkit, versions for 32-bit and 64-bit Windows, Mac OS X and Linux and – according to the Kaspersky report – “possibly versions for Android and iOS”.

In addition, it attempts to steal sensitive information from infected computers – including
files with a wide range of extensions, keystrokes and screenshots, and encryption keys.

With a 65-page report (and “Game of Thrones”-style infographic) Kaspersky has managed to gain some airtime for its brand once again, as its proficient PR team – aided by the detailed analysis by its researchers – grabbed attention with a story of the newly-uncovered malware attack.

I say newly-uncovered, because “The Mask”, aka Careto, appears to not actually be new in itself.

Kaspersky says that that the malware “has been involved in cyber-espionage operations since at least 2007”.

However, it has no definite evidence of this.

The basis for this claim comes from analysing the compilation time of some of the malware samples that the company has uncovered.

The Mask apparent compilation time of samples

However, this is information which can easily be manipulated by a coder changing a few bytes in his malware post-compilation or having an incorrectly set clock on their computer. Indeed, Kaspersky acknowledges later in the report that its dating of the malware campaign may not be entirely reliable.

We can estimate the duration of the campaign analyzing the compilation time of the samples. In some of them, the older ones, we are not so sure this data is very reliable.

If “The Mask” really has been spreading since 2007, then those computer security firms which failed to prevent it should be feeling pretty embarrassed right now.

Kaspersky’s researchers began to take a closer look at “The Mask” last year, when they determined that it was attempting to exploit an old (and long-since-patched) vulnerability in its anti-virus product to avoid detection.

According to the Russian anti-virus firm, it found evidence that some 31 countries had been affected the malware, involving over 1000 unique IP addresses.

Approximately 40% of the infections relate to Morroco, followed by Brazil and the United Kingdom.

Curiously, China, Russia and other countries in Eastern Europe don’t appear in the chart of affected nations published by Kaspersky.

Unique victims of Careto, by country

Who is behind the attacks? No-one can really be sure.

Kaspersky researchers have speculated that “The Mask” is likely to have been a state-sponsored attack, noting that institutions hit by the malware mainly fall into the following categories:

  • Government institutions
  • Diplomatic offices and embassies
  • Energy, oil and gas companies
  • Research institutions
  • Private equity firms
  • Activists

However, that’s an accusation that is extremely hard to prove.

The existence of Spanish phrases littered throughout parts of the malware’s code has been seized upon by some, and may be a clue as to the native language of the malware’s coder(s), but seeing as its the second most popular language on the planet (second only to Chinese Mandarin) that’s hardly narrowing down the field of suspects.

We shouldn’t be naive, of course. Even though 100% proof is extremely hard to obtain in investigations like this, in all likelihood (given the targeted organisations, and the nature of the information that was being searched for) this was likely to have been an attack supported by one country or another.

And it’s unlikely to be the last case of state-sponsored malware that we hear of during 2014.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.