Who’s behind The Mask? A guide to the spyware-on-steroids bundle

The Russian security firm Kaspersky Lab announced late Monday that it had uncovered what it calls “The Mask”, a bundle of cyber-nastiness that was apparently used to spy on people for as much as 7 years.
Here’s a primer on what The Mask was apparently capable of, and the hints we have as to its origins.

What’s in the box?

The Mask was what is classified as an “advanced persistent threat” (APT). Other examples of APTs include Stuxnet, an Israeli-American worm (according to many sources including Edward Snowden) that was used to sabotage Iran’s uranium-enrichment efforts, and related malware such as Duqu and Flame.
According to Kaspersky, The Mask included “an extremely sophisticated malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android(S goog) and iOS(s aapl).” Versions for 32-bit and 64-bit Windows(s msft) were also in there.

Who got hit and how?

At least 380 victims in 31 countries, mostly government institutions, activists, diplomats, energy companies and research organizations. The Mask siphoned off documents, encryption keys, Skype(s msft) conversations, keystrokes and so on.
This was a very stealthy and pervasive tool set, able to tap into all the target computer’s communications channels. It had several vectors of transmission, including a flaw in Adobe(s adbe) Flash that has since been fixed, and older versions of Kaspersky’s security products (which was how Kaspersky spotted the thing in the first place).
Generally, victims clicked on dodgy links in emails that took them to websites with malware waiting in hidden folders. These were sometimes disguised as subsections of online newspapers such as El Pais and El Mundo, but also non-Spanish publications including Time, The Guardian and The Washington Post. Apart from spying, the malware also set up a channel through which other modules of unpleasantness could be uploaded.

Who would do such a thing?

Almost certainly an intelligence agency or some other state-sponsored outfit. According to Kaspersky Lab research director Costin Raiu, this thing is too sophisticated to come from a criminal group:

“Several reasons make us believe this could be a nation-state sponsored campaign. First of all, we observed a very high degree of professionalism in the operational procedures of the group behind this attack. From infrastructure management, shutdown of the operation, avoiding curious eyes through access rules and using wiping instead of deletion of log files. These combine to put this APT ahead of Duqu in terms of sophistication, making it one of the most advanced threats at the moment.”

Why “The Mask”?

Because the code contains the word “careto”, which is a Spanish slang term for “ugly face” or “mask”. Kaspersky actually uses “Careto” as the name for one of the two backdoor implants included in the package, with the other being “SGH.”
There are also other terms in there that point to a Spanish-language connection, such as “Caguen1aMar”, which appears to be a contraction of an expression referring to someone defecating in the sea. One of the command-and-control (C&C) server domains was also apparently registered to an Argentinian.
Add to this the frequency of Spanish newspapers in the attack vector, and it does appear there is some connection to the Spanish-speaking world. That’s not an established fact, however – the authors could have dropped in such hints to obfuscate The Mask’s true origins.
According to Kaspersky, it is very rare to see the Spanish language used in APT attacks – Chinese is much more common.

Should I be scared?

Kaspersky said the C&C servers were shut down as part of its investigation, so The Mask probably isn’t going to get you. If you’re in that reasonably limited target group, however, there’s every chance that a variant is out there, as is the motive.
In short, the moral of the story is: don’t click on dodgy links in emails. But you knew that anyway, right?