Security researchers recently announced the discovery of a malware tool that stayed hidden for over seven years. Given the name "The Mask" by the team from Kaspersky, this spyware tool focused on high-profile targets using highly advanced code and techniques that were not normally found in malware variations.
The security experts from Kaspersky indicated that "The Mask" variant was designed to specifically target governmental agencies, diplomatic offices, research companies along with major energy markets.
The spyware was designed to use combinations of attack vectors, including malware, rootkit, and bootkit methods that varied over the time it was active. Once infected, the spyware would target documents, encryption keys, VPN configuration details, as well as PDF signing keys, which would allow the recipient to create and sign PDFs as if they were the authentic owner.
In addition to the standard file types targeted by "The Mask," Kaspersky indicated that the spyware was also designed to look for files with unfamiliar extensions. These unknown extensions are believed to be part of a custom file or software systems used by governmental entities and might have been involved with encryption.
The security researchers from Kaspersky have compared "The Mask" spyware to the previously found advanced variant "Flame," which targeted specific pieces of oil infrastructure hardware in Iran. However, the researchers believe that "The Mask" is a much more advanced piece of code.
Kaspersky indicated that as of this time, nearly 400 victims have been identified across nearly two dozen countries, with the majority of attacks focuses in Brazil and Morocco.
This focus has lead Kaspersky's researchers to hypothesize that the attacks may have been launched from a Spanish-speaking country. "Several reasons make us believe this could be a nation-state sponsored campaign. First of all, we observed a very high degree of professionalism in the operational procedures of the group behind this attack. From infrastructure management, shutdown of the operation, avoiding curious eyes through access rules and using wiping instead of deletion of log files. These combine to put this APT [Advanced Persistent Threat] ahead of Duqu in terms of sophistication, making it one of the most advanced threats at the moment," said Costin Raiu, Director of the Global Research and Analysis Team (GReAT) at Kaspersky Lab. "This level of operational security is not normal for cyber-criminal groups."
At this time, no organizations or countries have accepted blame for the creation or use of "The Mask."