The Mask or Careto family of malware use classic ‘old-school’ techniques says Context
Researchers at Context Information Security have uncovered classic virus techniques at the heart of a new family of malware, dubbed The Mask or Careto. Described by Kaspersky as one of the “most advanced global cyber-espionage operations to date” and widely attributed to sophisticated, state sponsored cyber attacks, this complex malware appears to rely on technology plucked out of the history books, claims Context.
“While hidden in the complexity of the malware, Careto or The Mask use the well know technique of infecting the first executable that loads when Windows boots,” says Kevin O’Reilly, a senior researcher at Context. “This discovery seems to suggest that old tricks are sometimes the best and also begs the question; is this a nod of respect to the virus writers who wreaked havoc in the 90s or have they come out of retirement to develop a new nation-state cyber-weaponry arsenal?”
The Mask or Careto is a wide-ranging malware toolset with many capabilities, including intercepting network traffic from a victim’s PC, keystrokes, Skype conversations, PGP keys, wireless traffic and file activity. It also has the capability to harvest a wide range of files from the infected system, including encryption and SSH keys, VPN and remote desktop configurations.
The main targets to date have included government institutions, diplomatic embassies, oil and gas companies, research institutions, private equity firms and activists. It appears that the Mask and Careto have been around for at least five years, operating undetected.
“Now that it has been discovered, anti-virus vendors have added detection to their products so it is no longer a real risk,” says O’Reilly. “The historical attack vector was targeted phishing emails or spear phishing with infected attachments, but is unlikely that this is still happening using this specific toolset. What is unclear is whether this is a one off or a trend to watch out for.
Launched in 1998, Context has a client base that includes some of the world’s most high profile blue chip companies, alongside government organisations. An exceptional level of technical expertise underpins all Context services, while a detailed and comprehensive approach helps clients to attain a deeper understanding of security vulnerabilities, threats or incidents. Many of the world’s most successful organisations turn to Context for technical assurance, incident response and investigation services. Context is also at the forefront of research and development in security technology. As well as publishing white papers and blogs addressing current and emerging security threats and trends, Context consultants frequently present at open and closed industry events around the world. Context delivers a comprehensive portfolio of advanced technical services and with offices in the UK, Germany and Australia, is ideally placed to work with clients worldwide.