Amid continuous revelations of a variety of “Advanced Persistent Threat” (APT) hacking operations sponsored by nation states–among them Flame/Gauss/Duqu/Stuxnet, Red October, Comment Crew, Shamoon, Icefog and Dark Seoul– the major global players such as the US, Russia, and China have been heavily represented. A new report by Kaspersky has revealed an advanced operation conducted by an as yet unknown but presumably Spanish speaking state. The operation apparently began as early as 2007, and the sophistication of the code has been judged as higher than that seen in programs such as Duqu, Red October or Icefog.

Based on multiple strings in the code, especially those referring to “Careto”, Spanish slang for ugly face or mask, it is assumed that the virus writers speak Spanish. The malware was discovered by Kaspersky Lab because it exploited a flaw in earlier versions of Kaspersky’s anti-virus software to hide itself from virus scans. The payload of the program also included a rootkit and a bootkit, employed zero-day exploits and   could infect a variety of 32 and 64 bit systems, including versions for Windows, Mac, and Linux, and possibly Android and IOS used on smartphones.

The campaign seems to have relied on spearphishing to send users to a malicious website which would deploy the modular program. Many of the malicious sites used addresses which impersonated the sites of a number of Spanish and international newspapers, all of which were signed by a valid certificate (albeit a certificate for an unknown (and probably fictitious) Bulgarian company called TecSystem LTD). The setup used on command and control servers for the malware was also designed to deny access to IP addresses that may be used by security researchers, among them Kaspersky Lab.

The entities targeted by the attacks seemed to primarily be in the UK, Brazil and Morocco, though a range of European countries are represented. The discovered targets are also only a limited subset of the possible targeted groups, as the team involved was very effective at covering their tracks, and the given targets in the image above only represent the systems being targeted at the time that Kaspersky made their investigation. However, soon after the operation was discovered, it was shut down, as detailed in the article linked below.

“Kaspersky researchers have sinkholed about 90 of the C&C domains the attackers were using, and the operation was shut down last week within a few hours of a short blog post the researchers published with a few details of the Mask campaign. Costin Raiu, head of the Global Research Analysis Team at Kaspersky, said that after the post was published, the Mask operators rolled up their campaign within about four hours.”

Dan Gifford- MCySec Media Manager