"The Mask" Espionage Malware

We’ve got a new nation-state espionage malware. “The Mask” was discovered by Kaspersky Labs:

The primary targets are government institutions, diplomatic offices and embassies, energy, oil and gas companies, research organizations and activists. Victims of this targeted attack have been found in 31 countries around the world — from the Middle East and Europe to Africa and the Americas. The main objective of the attackers is to gather sensitive data from the infected systems. These include office documents, but also various encryption keys, VPN configurations, SSH keys (serving as a means of identifying a user to an SSH server) and RDP files (used by the Remote Desktop Client to automatically open a connection to the reserved computer). “Several reasons make us believe this could be a nation-state sponsored campaign. First of all, we observed a very high degree of professionalism in the operational procedures of the group behind this attack. From infrastructure management, shutdown of the operation, avoiding curious eyes through access rules and using wiping instead of deletion of log files. These combine to put this APT ahead of Duqu in terms of sophistication, making it one of the most advanced threats at the moment,” said Costin Raiu, Director of the Global Research and Analysis Team (GReAT) at Kaspersky Lab. “This level of operational security is not normal for cyber-criminal groups.”

It’s been in operation, undetected, for at least seven years.

As usual, we infer the creator of the malware from the target list.

We counted over 380 unique victims between 1000+ IPs. Infections have been observed in: Algeria, Argentina, Belgium, Bolivia, Brazil, China, Colombia, Costa Rica, Cuba, Egypt, France, Germany, Gibraltar, Guatemala, Iran, Iraq, Libya, Malaysia, Mexico, Morocco, Norway, Pakistan, Poland, South Africa, Spain, Switzerland, Tunisia, Turkey, United Kingdom, United States and Venezuela.

Based on the prevalence of Spanish-speaking victims, the number of infected victims in Morocco, and the fact that Gibraltar is on the list, that implies Spain is behind this one. My guess is that soon countries will start infecting uninteresting targets in order to deflect blame, but that they still think they’re immune from discovery. So Spain, if it is you, attack a few sites in the Falklands next time — and use a separate tool for Morocco.

There are several news articles.

Posted on February 11, 2014 at 6:57 AM • 60 Comments