Kaspersky Lab Investigating 'Extremely Sophisticated Malware'

[Reefa]

“The Mask” Leverages High-end Exploits and Packs Bootkit and Rootkit With Mac OS X and Linux Versions

Kasperky Lab said on Monday that it has been investigating a sophisticated cyber-espionage operation that it is calling “one of the most advanced threats at the moment”.

“During the past months we have been busy analyzing yet another sophisticated cyberespionage operation which has been going on at least since 2007, infecting victims in 27 countries,” the company wrote in a post to its Securelist blog. “We deemed this operation ‘The Mask” for reasons to be explained later.”

According to Kaspersky, the advanced malware leverages high-end exploits, and includes a bootkit and rootkit, and also has versions for Mac OS and Linux. Interestingly, researchers also found that the malware packs a customized attack specifically against Kaspersky’s security software.

The combined features of the sophisticated malware puts it above Duqu in terms of sophistication, the company said.

According to Kaspersky, authors of The Mask appear to be native in a language “observed very rarely in APT attacks”.

For the time being, Kaspersky Lab is keeping additional details under wraps, but the company said it would present more about "The Mask" at the Kaspersky Security Analyst Summit 2014 (SAS), taking place next week in Punta Cana, Dominican Republic.

The Kaspersky Security Analyst Summit is an annual event connecting anti-malware researchers and developers, global law enforcement agencies and CERTs and members of the security research community.

Over the past few years, the Russian security firm has uncovered several complex espionage campaigns likely supported by nation-states. In 2012, the company uncovered Flame, a cyber-espionage operation targeting the Middle East, principally Iran and Israel, which had connections to the infamous Stuxnet malware used in an effort to sabotage Iranian nuclear operations.

In early 2013, the company uncovered operation “RedOctober”, a sophisticated cyber-espionage campaign that targeted political and business groups throughout the world for more than five years.

In June 2013, the company uncovered NetTraveler, another cyber espionage operation that hit more than 350 businesses and government agencies throughout the world.

More recently, in September 2013, Kaspersky Lab uncovered details of “Kimsuky”, an ongoing cyber-espionage campaign targeting South Korean think tanks.

Source

[Matt]

yeah there's some threats some governments made it just to spy on us and I guess this one of them.

[Reefa]

Updated: February 10, 2014 , 1:03 pm

PUNTA CANA–A group of high-level, nation-state attackers has been targeting government agencies, embassies, diplomatic offices and energy companies with a cyber-espionage campaign for more than five years that researchers say is the most sophisticated APT operation they’ve seen to date. The attack, dubbed the Mask, includes a number of unique components and functionality and the group behind it has been stealing sensitive data such as encryption and SSH keys and wiping and deleting other data on targeted machines.

The Mask APT campaign has been going on since at least 2007 and it is unusual in a number of ways, not the least of which is that it doesn’t appear to have any connection to China. Researchers say that the attackers behind the Mask are Spanish-speaking and have gone after targets in more than 30 countries around the world. Many, but not all, of the victims are in Spanish-speaking countries, and researchers at Kaspersky Lab, who uncovered the campaign, said that the attackers had at least one zero-day in their arsenal, along with versions of the Mask malware for Mac OS X, Linux, and perhaps even iOS and Android.

“These guys are better than the Flame APT group because of the way that they managed their infrastructure,” said Costin Raiu, head of the Global Research Analysis Team at Kaspersky. “The speed and professionalism is beyond that of Flame or anything else that we’ve seen so far.”

Raiu revealed the details of the Mask attack campaign during the Kaspersky Security Analyst Summit here Monday.

Interestingly, the Kaspersky researchers first became aware of the Mask APT group because they saw the attackers exploiting a vulnerability in one of the company’s products. The attackers found a bug in an older version of a Kaspersky product, which has been patched for several years, and were using the vulnerability as part of their method for hiding on compromised machines. Raiu said that the attackers had a number of different tools at their disposal, including implants that enabled them to maintain persistence on victims’ machines, intercept all TCP and UDP communications in real time and remain invisible on the compromised machine. Raiu said all of the communications between victims and the C&C servers were encrypted.

The attackers targeted victims with spear-phishing emails that would lead them to a malicious Web site where the exploits were hosted. There were a number of exploits on the site and they were only accessible through the direct links the attackers sent the victims. One of the exploits the attackers used was for CVE-2012-0773, an Adobe Flash vulnerability that was discovered by researchers at VUPEN, the French firm that sells exploits and vulnerability information to private customers. The Flash bug was an especially valuable one, as it could be used to bypass the sandbox in the Chrome browser. Raiu said the exploit for this Flash bug never leaked publicly.

While most APT campaigns tend to target Windows machines, the Mask attackers also were interested in compromising OS X and Linux machines, as well as some mobile platforms. Kaspersky researchers found Windows and OS X samples and some indications of a Linux versions, but don’t have a Linux sample. There also is some evidence that there may be versions for both iOS and Android. Raiu said there was one victim in Morocco who was communicating with the C&C infrastructure over 3G.

Kaspersky researchers have sinkholed about 90 of the C&C domains the attackers were using, and the operation was shut down last week within a few hours of a short blog post the researchers published with a few details of the Mask campaign. Raiu said that after the post was published, the Mask operators rolled up their campaign within about four hours.

However, Raiu said that the attackers could resurrect the operation without much trouble.

“They could come back very quickly if they wanted,” he said.

Source