The expert researchers at Kaspersky Labs have been hard at work this winter uncovering new malware threats, viruses and malicious code that threatens computers, mobile phones, servers, and corporate networks. However, what has recently been discovered is very worrying indeed. A new and highly malware named the Careto virus.
This is not a run-of-the-mill virus. It is nasty, very sophisticated, and consequently, probably the work of government-backed hackers. The Careto virus came from a previously known location, one that has produced a similar virus not so long ago. Kaspersky discovered the new virus and took rapid action to neutralize the threat.
Kaspersky Labs has already produced a detailed description of their discovery after conducting a detailed forensic analysis. That said, some techniques used to explore the nature of the virus were not particularly sophisticated and could be performed by any IT professional.
Kaspersky used “strings” – a Linux program that can be used to explore executable files – to extract text from the file. What they found was a series of instructions in Spanish, together with the name assigned to the new virus: Careto.
The name “Careto” is colloquial Spanish for “ugly face”, the corresponding name in English being “ugly mug”. It doesn’t translate as disaster, but it might as well do. This virus wreaks havoc.
Hidden inside this virus is a rootkit and a bootkit. The malware is particularly nasty and versatile, containing a Linux version, Mac OS X, and it is presumed it would also work on Android phones and the iOS system. It is very sophisticated in nature, and because of its complexity it has been suggested it is not the work of a bored, skilled teenager coding away in a bedroom. The complexity suggests that a considerable amount of time and effort has been put in to developing the virus. The Careto virus is capable of working on multiple systems at once, which Kaspersky suggests makes it the work of a team of hackers, not one individual.
Kaspersky investigated the Careto virus and started monitoring command-and-control (C&C) servers that were known to be used by hackers. This enabled the researchers to determine that the virus is proving to be effective. It has already infected over 380 computers, with those infections discovered in 31 countries around the world. The Careto virus appears to have been used to target specific organizations, and has been discovered in government organizations around the world, in particular, foreign embassies. Oil companies, gas companies, private equity firms, and research institutions have also been targeted.
The virus is primarily being spread by spear phishing campaigns. The targets have been sent links to fake versions of popular newspapers, including The Washington Post, as well as the Spanish Newspapers, El Pais, El Espectador, Publico and El Mundo.
The link contained in the phishing email has been masked, with users fooled into thinking they are actually visiting the genuine periodicals. The virus has also been discovered to have been used to infect computers via a security vulnerability in Adobe Flash (The 2012 version). Flash is used on a number of (typically older) websites to display advertising and video files.
Users may be wary of double clicking on emailed executable (.exe) files, but what about harmless picture files such as JPEGs. The executable file was found to reside in apparent JPEG files. The names, chef.jpg, waiter.jpg and dinner.jpg having been used to make them appear innocent.
What Does the Careto Virus do?
The types of individuals targeted thus far gives a clue as to what the Careto virus does. Its aim is to collect highly sensitive information, which it does by intercepting all communications channels used on the victims’ computers.
It “listens” in on Skype calls, chat sessions, and records and exfiltrates data from the infected device. Passwords are stolen, and encryption keys, bank account numbers, email addresses, phone numbers, and all manner of sensitive information obtained by hackers. This data is sent to the hackers’ command and control servers, one of which was discovered to reside on one of the IBM-owned Softlayer cloud service provider’s servers.
Unfortunately for the infected, detecting the virus is difficult. This is because it has stealth rootkit capabilities, cyber-espionage modules and other functionalities to help it avoid detection. After discovering and analyzing the virus, Kaspersky was able to track infected computers.
Fortunately, AV definitions have now been updated to spot the Careto virus, which incidentally, is blocked by SpamTitan Anti-spam software. SpanTitan is able to prevent this nasty virus from being delivered to your inbox.