New threat actor: Spanish-speaking attackers targeting government institutions, energy, oil & gas companies and other high-profile victims via cross-platform malware toolkit
(Photo: http://photos.prnasia.com/prnh/20140212/8521400737 )
The primary targets are government institutions, diplomatic offices and embassies, energy, oil and gas companies, research organizations and activists. Victims of this targeted attack have been found in 31 countries around the world -- from the
The main objective of the attackers is to gather sensitive data from the infected systems. These include office documents, but also various encryption keys, VPN configurations, SSH keys (serving as a means of identifying a user to an SSH server) and RDP files (used by the Remote Desktop Client to automatically open a connection to the reserved computer).
"Several reasons make us believe this could be a nation-state sponsored campaign. First of all, we observed a very high degree of professionalism in the operational procedures of the group behind this attack. From infrastructure management, shutdown of the operation, avoiding curious eyes through access rules and using wiping instead of deletion of log files. These combine to put this APT ahead of Duqu( http://www.securelist.com/en/blog/208193178/Duqu_FAQ ) in terms of sophistication, making it one of the most advanced threats at the moment," said Costin Raiu, Director of the
"This level of operational security is not normal for cyber-criminal groups."
For the victims, an infection with Careto can be disastrous. Careto intercepts all communication channels and collects the most vital information from the victim's machine. Detection is extremely difficult because of stealth rootkit capabilities, built-in functionalities and additional cyber-espionage modules.
-- The authors appear to be native in the Spanish language which has been observed very rarely in APT attacks.
-- The campaign was active for at least five years until
-- The complexity and universality of the toolset used by the attackers make this cyber-espionage operation very special. This includes leveraging high-end exploits, an extremely sophisticated piece of malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone (iOS). The Mask also used a customized attack against
-- Among the attack's vectors, at least one Adobe Flash Player exploit (CVE-2012-0773) was used. It was designed for Flash Player versions prior to 10.3 and 11.2. This exploit was originally discovered by VUPEN and was used in 2012 to escape the Google Chrome sandbox to win the CanSecWest Pwn2Own contest.
Infection Methods & Functionality
It is important to note the exploit websites do not automatically infect visitors; instead, the attackers host the exploits at specific folders on the website, which are not directly referenced anywhere, except in malicious e-mails. Sometimes, the attackers use subdomains on the exploit websites, to make them seem more real. These subdomains simulate subsections of the main newspapers in Spain plus some international ones for instance, "The Guardian" and "
The malware intercepts all the communication channels and collects the most vital information from the infected system. Detection is extremely difficult because of stealth rootkit capabilities. Careto is a highly modular system; it supports plugins and configuration files, which allow it to perform a large number of functions. In addition to built-in functionalities, the operators of Careto could upload additional modules that could perform any malicious task.
To read the full report with a detailed description( http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf ) of the malicious tools and stats, together with indicators of compromise, see Securelist. A complete FAQ is also available here( http://www.securelist.com/en/blog/208216078/The_Careto_Mask_APT_Frequently_Asked_Questions ).
* The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2012. The rating was published in the IDC report "Worldwide Endpoint Security 2013-2017 Forecast and 2012 Vendor Shares (IDC #242618,
firstname.lastname@example.org / email@example.com
Most Popular Stories
- SoCalGas Reaches Record Spend on Diversity Suppliers
- Senators Reach Deal on Fannie Mae, Freddie Mac
- GM Recall Poses First Major Test for New CEO
- Deborah Hersman Quits NTSB
- Biden Considers Mediation in Venezuela
- Swedish Journalist Nils Horner Shot Dead in Kabul
- Bob Crow Remembered as Shrewd Champion of Union Workers
- 'Titanfall' XBox Debut Has Microsoft Fired Up
- Job Openings Less Than Expected in January
- El Empleo Rebota: La Columna Cohen