Tampa, FL and Galway, Ireland – 19th Feb 2014. The weather is almost too warm in Sochi for the Olympics. One needs adequate packed powder snow to ski, or at least to ski safely—instead, in Sochi, they have ice, plus clouds. Clouds make it difficult to see where you are going: when the sky and the ground are the same colour, you cannot distinguish heaven from earth. It is easy to get disoriented and suffer the sensation of not knowing whether you are skiing across the snow or floating above it.
But in Moscow, there is plenty of snow. There at Kaspersky (which is one of the anti virus solutions included with SpamTitan anti spam), security researchers and antivirus software developers are hunkered down in the double-paned-windowed-warmth of a Moscow winter, working long hours to find, expose, and the contain computer viruses.
What they found this week was Careto. This virus was lurking in the same place as a related virus found a few years ago. Kaspersky published a detailed forensic report to explain what they found. Some of this forensics you could have done yourself; other is much more complex. For example, they use the Linux program “strings” to extract text from the executable file. There they found comments and instructions that the programmer had written in Spanish, plus the name of the virus itself: Careto.
Servers used by attackers revealed 380+ victims from 31 countries.
Kaspersky says this Spanish word means “ugly face” or “mask”. According to Kaspersky ‘What makes The Mask special is the complexity of the toolset used by the attackers. This includes an extremely sophisticated malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iOS (iPad/iPhone)’. It’s believed that some foreign government paid to develop the virus, because it works on so many systems, suggesting a large team and much effort. Data found by investigating and monitoring a set of command-and-control (C&C) servers used by the attackers revealed more than 380 unique victims from 31 countries. The main targets were government organisations including embassies, energy, oil and gas companies, research institutions, and activist’s and private equity firms.
Careto spreads using phishing. If you clicked on a mail containing their malicious link, you would have been sent to mock-up copies of El Pais, The Washington Post, El Especatdor, El Mundo, and Publico newpapers. The actual link is hidden. It says, for example: elpais.linkconf(dot)net. Careto infected some computers by exploiting a weakness in the 2012 version of Adobe Flash (Flash is used to display video in certain web pages.). The other attack was made by hiding an executable program in an otherwise harmless .jpeg picture file. The names are: dinner.jpg, waiter.jpg, and chef.jpg.
For victims a Catero malware infection spells disaster.
The virus intercepts all communication channels and collects information from the victim’s machine. Once installed, the virus steals encryption keys, records Skype calls, transcribes what you type, and listens in on data coming to and from your device. It then sends these stolen passwords, email addresses, and bank account numbers, and other secrets to a set of command and control servers, controlled by the hackers. One of these was found running inside a SoftLayer data centre, a cloud-service provider.
Protect your MSP clients with the newest zero-day threat protection and intelligence against anti-phishing, business email compromise and zero-day attacks with PhishTitan.
Free Demo
Detection is difficult because of stealth rootkit capabilities, built-in functionalities and additional cyber-espionage modules. Having made their discovery, Kaspersky was able to follow the virus’s forensic clues to show what computers were affected and provide lots of details about where the virus came from. Kaspersky Lab’s products detects and removes all known versions of The Mask/Careto malware so you are safe from Careto when using SpamTitan anti spam.