Tuesday, March 4, 2014

"THE MASK" - Real data breach threat.


The MASK - Most sophisticated(frightening) attack till data!

 When we say "data breach" these path months,we think of "Target, Neiman Marcus" and all other typical public use places. There has been a major threat which has attacked all the nation's most classified data , research interests, financial settlements and highly valued data within government offices, diplomats, educational institutions,..etc.  Irony is this attack is been under the radar "invisible" almost 6 years in almost every country / systems possible.


What is MASK ?

  • The Mask - advanced threat actor that has been involved in cyber-espionage operations since at least 2007, was found only by the end of 2013. Thought to be from Spanish group because of the word “Careto” used in the some of the modules. 
  • Has infected 31 countries and 1000 + IPs worldwide.
  • Most Advanced threat at current time.
  • Suspected  to be the nation state attack - because it is sophisticated, highly organized, .

Targets of the Attack:

        
    Once the malware is active in the system,it collects a list of documents from the infected system, including encryption keys, VPN configurations, SSH keys. Some of this files are related to custom military/government-level encryption tools.

  • *.AKF,*.ASC,*.AXX,*.CFD,*.CFE,*.CRT,*.DOC,*.DOCX,*.EML,*.ENC,*.GMG,*.GPG,*.HSE,*.KEY,*.M15,*.M2F,*.M2O,*.M2R,*.MLS,*.OCFS,*.OCU,*.ODS,*.ODT,*.OVPN,*.P7C,*.P7M,*.P7Z,*.PAB,*.PDF,*.PGP,*.PKR,*.PPK,*.PSW,*.PXL,*.RDP,*.RTF,*.SDC,*.SDW,*.SKR,*.SSH,*.SXC,*.SXW,*.VSD,*.WAB,*.WPD,*.WPS,*.WRD,*.XLS,*.XLSX
  • Targets : Government institutions, Diplomatic offices , energy and gas companies, research institutions.
Detection : Extremely difficult because of the stealth capabilties.  Malware changes when downloaded to new systems. So its sign is never the same.                                                       

Infestation :   

    It uses multiple vectors 

- phishing emails

- exploit old adobe flash player vulnerability (first used to break chrome sandbox) Chrome broken

- prompting the user for java update / chrome plugin 

- Subdomain of genuine websites. Guardian links used in malware         

Malware uses the packages for spreading through all the connected systems:

Careto and SGH. Careto – general purpose backdoor that collects all the information and executes arbitrary codes by remote C&C servers. SGH -  primarily works in Kernel and maintains its own connection to the C&C.

Files from these packages are signed with a certificate as "valid".     

Each works standalone without other.   

What does it do ?              

Once active, Mask can intercept network traffic, keystrokes, intercept Skype conversations, analyse WiFi traffic, fetch all information from Nokia /Android devices, screen captures and monitor all file operations.
Collects large chunks of data from the victim including encryption keys, VPN configurations,SSH keys and so.            

Complexity : An extremely sophisticated piece of malware, a rootkit, a bootkit, Windows versions, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone (iOS).

Customized attack on old Kaspersky lab products to hide in the system “invisible”. This is the step where Kaspersky got alert that someone is exploting their vulnerability and eventually discovered this malware.

Supports plug-ins,configuration files, built-in functionalities and any additional modules could be uploaded.                                                                                                                                                                                                                                                     

Stealth and platform independency:           

         The Digital signature is given as issued by a fake "Techsystem" Company.

Careto conquest:

 

                  Sample CARETO code "Careto ..." and with all other modules are "encrypted".


Careto - Map of Conquest.