Skip to comments."The Mask" Espionage Malware
Posted on 02/13/2014 8:23:30 PM PST by Theoria
Weve got a new nation-state espionage malware. "The Mask" was discovered by Kaspersky Labs:
The primary targets are government institutions, diplomatic offices and embassies, energy, oil and gas companies, research organizations and activists. Victims of this targeted attack have been found in 31 countries around the world -- from the Middle East and Europe to Africa and the Americas.
The main objective of the attackers is to gather sensitive data from the infected systems. These include office documents, but also various encryption keys, VPN configurations, SSH keys (serving as a means of identifying a user to an SSH server) and RDP files (used by the Remote Desktop Client to automatically open a connection to the reserved computer).
"Several reasons make us believe this could be a nation-state sponsored campaign. First of all, we observed a very high degree of professionalism in the operational procedures of the group behind this attack. From infrastructure management, shutdown of the operation, avoiding curious eyes through access rules and using wiping instead of deletion of log files. These combine to put this APT ahead of Duqu in terms of sophistication, making it one of the most advanced threats at the moment," said Costin Raiu, Director of the Global Research and Analysis Team (GReAT) at Kaspersky Lab. "This level of operational security is not normal for cyber-criminal groups."
It's been in operation, undetected, for at least seven years.
As usual, we infer the creator of the malware from the target list.
We counted over 380 unique victims between 1000+ IPs. Infections have been observed in: Algeria, Argentina, Belgium, Bolivia, Brazil, China, Colombia, Costa Rica, Cuba, Egypt, France, Germany, Gibraltar, Guatemala, Iran, Iraq, Libya, Malaysia, Mexico, Morocco, Norway, Pakistan, Poland, South Africa, Spain, Switzerland, Tunisia, Turkey, United Kingdom, United States and Venezuela.
Based on the prevalence of Spanish-speaking victims, the number of infected victims in Morocco, and the fact that Gibraltar is on the list, that implies Spain is behind this one. My guess is that soon countries will start infecting uninteresting targets in order to deflect blame, but that they still think theyre immune from discovery. So Spain, if it is you, attack a few sites in the Falklands next time -- and use a separate tool for Morocco.
There are several news articles.
Am remembering a sophisticated email scam about seven years ago. Wonder if this was what was seen at that time. Many of the emails were opened to only find the email was not valid. The emails ran once clicked and the emails appear legitimate before opening with a known name of a person known to receiver of the email. Numerous computers were hit from what I remember.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.