By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
10alert.com10alert.com10alert.com
  • Threats
    • WordPress ThreatsDanger
    Threats
    A cyber or cybersecurity threat is a malicious act that seeks to damage data, steal data, or disrupt digital life in general. Cyber threats include…
    Show More
    Top News
    What is a rootkit and how to remove it
    12 months ago
    Number of the Week: 10 Million Malicious Android Apps
    12 months ago
    Stuxnet: industrial systems’ isolation alone will no longer do
    12 months ago
    Latest News
    Beware of scammers! Dangerous apps in the App Store
    2 days ago
    How To Limit Login Attempts on WordPress (+ Should You?)
    3 days ago
    Wordfence Intelligence Weekly WordPress Vulnerability Report (September 18, 2023 to September 24, 2023)
    3 days ago
    Two privilege escalation vulnerability in Simple Membership Plugin
    4 days ago
  • Fix
    Fix
    Troubleshooting guide you need when errors, bugs or technical glitches might ruin your digital experience.
    Show More
    Top News
    For 0-day vulnerabilities in Windows, temporary patches
    12 months ago
    Windows 11 22H2 (build 22621.317) outs in the Release Preview Channel
    12 months ago
    How to avoid problems installing Windows 11 22H2
    12 months ago
    Latest News
    How automatically delete unused files from my Downloads folder?
    8 months ago
    Now you can speed up any video in your browser
    8 months ago
    How to restore access to a file after EFS or view it on another computer?
    8 months ago
    18 Proven Tips to Speed Up Your WordPress Site and Improve SEO | 2023 Guide
    9 months ago
  • How To
    How ToShow More
    Detecting zero-days before zero-day
    Detecting zero-days before zero-day
    23 hours ago
    See what threats are lurking in your Office 365 with Cloudflare Email Retro Scan
    See what threats are lurking in your Office 365 with Cloudflare Email Retro Scan
    23 hours ago
    Network performance update: Birthday Week 2023
    Network performance update: Birthday Week 2023
    23 hours ago
    Cloudflare now uses post-quantum cryptography to talk to your origin server
    Cloudflare now uses post-quantum cryptography to talk to your origin server
    2 days ago
    Privacy-preserving measurement and machine learning
    Privacy-preserving measurement and machine learning
    2 days ago
  • News
    News
    This category of resources includes the latest technology news and updates, covering a wide range of topics and innovations in the tech industry. From new…
    Show More
    Top News
    How to compress an image in Microsoft Word?
    12 months ago
    How to enable the new PDF-Viewer in Chrome?
    12 months ago
    How to enable automatic disk cleanup in Windows 10?
    12 months ago
    Latest News
    How to enable extensions for Google Bard AI
    2 days ago
    Window 11 Copilot: 10 Best tips and tricks
    2 days ago
    How to create AI images with Cocreator on Paint for Windows 11
    3 days ago
    How to install September 2023 update with 23H2 features for Windows 11
    4 days ago
  • Glossary
  • My Bookmarks
Reading: The Mask – Unveiling the World’s Most Sophisticated APT Campaign
Share
Notification Show More
Aa
Aa
10alert.com10alert.com
  • Threats
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
  • Threats
    • WordPress ThreatsDanger
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
Follow US
AppsThreatsWordpress Threats

The Mask – Unveiling the World’s Most Sophisticated APT Campaign

Vitus White
Last updated: 13 October
Vitus White 12 months ago
Share
5 Min Read

PUNTA CANA–A hacking group likely backed by an unknown national government has been targeting government agencies, embassies, diplomatic offices and energy companies for more than five years in what Kaspersky researchers are calling the most sophisticated advanced persistent threat campaign they have ever seen.

Unveiled yesterday at the company’s Security Analyst Summit in the Dominican Republic, the threat is called “Careto,” which is apparently Spanish for “ugly face” or “mask,” though there appears to be a bit of dissension about this among Spanish speakers.

This campaign is concerning because it pretty clearly demonstrates that the super highly skilled attackers out there are learning, honing their trade, and just generally getting better at infecting, spying, and stealing from very specific targets. It’s also concerning because the Mask has existed under the radar, silently intercepting sensitive data since 2007. Had the attackers not tried to exploit a patched vulnerability in an older version of Kaspersky product, Costin Raiu, the director of the company’s Global Research and Analysis Team, said his researchers might have never found it.

“Exploiting Kaspersky products is most unwise,” Raiu said in his presentation of the Mask.

However, highly sophisticated APT campaigns like this one are generally designed to infect the machines of individuals with access to very specific, highly-sought after networks, in this case mostly those of government agencies and energy companies. In other words, the attackers are not interested in the vast majority of people. Another reason to curb your concern is that whoever is responsible for the campaign shut it down mere hours after Kaspersky’s Global Research and Analysis Team published a preview of the APT campaign.

Exploiting Kaspersky products is most unwise

Kaspersky researchers have sinkholed about 90 of the command and control domains the attackers were using, and Raiu said that after the post was published, the Mask operators shut everything down within about four hours. Sinkholing is a process through which researcher can wrest control of botnet or malware communication infrastructure and redirect traffic away from the malicious servers controlling the campaign.

However, Raiu said that the attackers could resurrect the operation and come back very quickly without much trouble if they wanted.

The campaign is also noteworthy for several reasons. For one, it doesn’t seem to have any connection to China, which is where a lot of these sorts of attacks are alleged to have originated. It’s also interesting because the people that directed the campaign appear to be Spanish speakers, which is novel for sure but not altogether surprising or revelatory considering that the language is second only Mandarin with nearly 400 million Spanish speakers in the world. Targets of the Mask campaign are also predominately Spanish speaking but located in more than 30 countries.

Beyond this, the group is said to have had in their arsenal at least one zero-day and versions of the Mask malware intended to target machines running Mac OS X, Linux, and perhaps even mobile devices running iOS and Android. At least one victim in Morocco, Raiu said, had a device that was communicating with the C&C infrastructure over a mobile 3G network.

“These guys are better than the Flame APT group because of the way that they managed their infrastructure,” said Raiu. “The speed and professionalism is beyond that of Flame or anything else that we’ve seen so far.”

As a point of reference, Flame is another APT campaign uncovered by Kaspersky researchers in 2012. It targeted Middle Eastern countries and was pretty sophisticated in the way it generated fraudulent digital certificates appearing to come directly from Microsoft.

As is so often the case, the Mask attackers targeted their victims with spear-phishing emails that led to a malicious Web sites where the exploits were hosted. The sites were actually loaded with exploits and only accessible through the direct links the attackers sent the victims.

Raiu said that the attackers had a number of different tools at their disposal, including implants that enabled them to maintain persistence on victims’ machines, intercept all TCP and UDP (these are just two different protocols through which communications travel on the Internet) communications in real time and remain invisible on the compromised machine. Raiu said all of the communications between victims and the C&C servers were encrypted.


Source: kaspersky.com

Translate this article

TAGGED: Apple, Encryption, Linux, Malware, Microsoft, Microsoft Office, Phishing, PoC, Security, Site-scraping, Telnet, Threat, Threats
Vitus White October 13, 2022 October 7, 2022
Share This Article
Facebook Twitter Reddit Telegram Email Copy Link Print

STAY CONECTED

24.8k Followers Like
253.9k Followers Follow
33.7k Subscribers Subscribe
124.8k Members Follow

LAST 10 ALERT

Detecting zero-days before zero-day
Detecting zero-days before zero-day
Apps 23 hours ago
See what threats are lurking in your Office 365 with Cloudflare Email Retro Scan
See what threats are lurking in your Office 365 with Cloudflare Email Retro Scan
Apps 23 hours ago
Network performance update: Birthday Week 2023
Network performance update: Birthday Week 2023
Apps 23 hours ago
Cloudflare now uses post-quantum cryptography to talk to your origin server
Cloudflare now uses post-quantum cryptography to talk to your origin server
Apps 2 days ago
Privacy-preserving measurement and machine learning
Privacy-preserving measurement and machine learning
Apps 2 days ago

You Might Also Like

Detecting zero-days before zero-day
Apps

Detecting zero-days before zero-day

23 hours ago
See what threats are lurking in your Office 365 with Cloudflare Email Retro Scan
Apps

See what threats are lurking in your Office 365 with Cloudflare Email Retro Scan

23 hours ago
Network performance update: Birthday Week 2023
Apps

Network performance update: Birthday Week 2023

23 hours ago
Cloudflare now uses post-quantum cryptography to talk to your origin server
Apps

Cloudflare now uses post-quantum cryptography to talk to your origin server

2 days ago
Show More

Related stories

How to upgrade to Windows 11 23H2 with Installation Assistant
How to install September 2023 update with 23H2 features for Windows 11
How to get the latest Windows 11 innovations
How to blur image background in Photos for Windows 11
How to download official Windows 11 23H2 ISO file
PHP Object Injection Vulnerability in Flatsome Theme

10 New Stories

Encrypted Client Hello – the last puzzle piece to privacy
Beware of scammers! Dangerous apps in the App Store
How to enable extensions for Google Bard AI
Reminder: Enable two-factor authentication wherever you have it. This business
​​Know exactly when your data is transferred to GoogleIn a world where our data is permanent
​​Fake correspondence with the iPhone interfaceIn a world where digital communication is
Previous Next
Hot News
Detecting zero-days before zero-day
See what threats are lurking in your Office 365 with Cloudflare Email Retro Scan
Network performance update: Birthday Week 2023
Cloudflare now uses post-quantum cryptography to talk to your origin server
Privacy-preserving measurement and machine learning
10alert.com10alert.com
Follow US
© 10 Alert Network. All Rights Reserved.
  • Privacy Policy
  • Contact
  • Customize Interests
  • My Bookmarks
  • Glossary
Go to mobile version
adbanner
AdBlock Detected
Our site is an advertising supported site. Please whitelist to support our site.
Okay, I'll Whitelist
Welcome Back!

Sign in to your account

Lost your password?