| Careto | |
|---|---|
| Alias | The Mask |
| Classification | Spyware |
| Isolation date | 2014 |
| Origin | Nation state |
Careto (Spanish slang for "face"), sometimes calledThe Mask, is a piece of espionagemalware discovered byKaspersky Lab in 2014. Because of its high level of sophistication and professionalism, and a target list that included diplomatic offices and embassies, Careto is believed to be the work of a nation state.[1] Kaspersky believes that the creators of the malware were Spanish-speaking.[1]
Because of the focus on Spanish-speaking victims, the heavy targeting ofMorocco, and the targeting ofGibraltar,Bruce Schneier speculates that Careto is operated bySpain.[2]
Careto normally installs a second and more complex backdoor program called SGH. SGH is easily modifiable and also has a wider arsenal including the ability to intercept system events, file operations, and performing a wider range of surveillance features.[3] The information gathered by SGH and Careto can includeencryption keys,virtual private network configurations, andSSH keys and other communication channels.[4]
Careto is hard to discover and remove because of its use ofstealth capabilities. In addition, most of the samples have beendigitally signed. The signatures are issued from a Bulgarian company, TecSystem Ltd., but the authenticity of the company is unknown. One of the issuedcertificates was valid between June 28, 2011 and June 28, 2013. Another was valid from April 18, 2013 to July 18, 2016, but was revoked byVerisign.[5]
Careto was discovered when it made attempts to circumventKaspersky security products.[6] Upon discovery of Careto trying to exploit their software, Kaspersky started to investigate further. As part of collecting statistics, multiplesinkholes were placed on the command and control servers.[5]
Currently most up-to-dateantivirus software can discover and successfully remove the malware.
On investigation of the command and control servers, discoveries showed that more than 380 victims were infected. From the information that has been uncovered, the victims were infected with the malware by clicking on aspear phishing link which redirected to websites that had software that Careto could exploit, such asAdobe Flash Player. The player has since been patched and is no longer exploitable by Careto. The websites that contained the exploitable software had names similar to popular newspapers, such asThe Washington Post andThe Independent.[7]
The malware is said to have multiplebackdoors toLinux,Mac OS X, andWindows. Evidence of a possible fourth type of backdoor toAndroid andIOS was discovered on the C&C servers, but no samples were found.[3]
It is estimated that Careto has beencompiled as far back as 2007. It is now known that the attacks ceased in January 2014.[5]
