Knowledge (XXG)

Careto (malware)

Source 📝

66:
Careto normally installs a second and more complex backdoor program called SGH. SGH is easily modifiable and also has a wider arsenal including the ability to intercept system events, file operations, and performing a wider range of surveillance features. The information gathered by SGH and Careto
266: 200: 38:
in 2014. Because of its high level of sophistication and professionalism, and a target list that included diplomatic offices and embassies, Careto is believed to be the work of a nation state. Kaspersky believes that the creators of the malware were Spanish-speaking.
270: 204: 129:
On investigation of the command and control servers, discoveries showed that more than 380 victims were infected. From the information that has been uncovered, the victims were infected with the malware by clicking on a
686: 706: 201:"Kaspersky Lab Uncovers "The Mask": One of the Most Advanced Global Cyber-espionage Operations to Date Due to the Complexity of the Toolset Used by the Attackers, 11 February 2014" 138:. The player has since been patched and is no longer exploitable by Careto. The websites that contained the exploitable software had names similar to popular newspapers, such as 110:
security products. Upon discovery of Careto trying to exploit their software, Kaspersky started to investigate further. As part of collecting statistics, multiple
372: 267:"Kaspersky Lab Uncovers "The Mask": One of the Most Advanced Global Cyber-espionage Operations to Date Due to the Complexity of the Toolset Used by the Attackers" 332: 248: 858: 398: 676: 620: 666: 435: 790: 1204: 671: 95:. The signatures are issued from a Bulgarian company, TecSystem Ltd., but the authenticity of the company is unknown. One of the issued 1338: 1320: 821: 599: 365: 1344: 870: 831: 466: 645: 1404: 1350: 925: 816: 752: 589: 491: 99:
was valid between June 28, 2011 and June 28, 2013. Another was valid from April 18, 2013 to July 18, 2016, but was revoked by
811: 584: 310: 296: 691: 403: 393: 358: 1565: 955: 742: 681: 640: 538: 1060: 795: 558: 1856: 1749: 1090: 945: 737: 630: 574: 166: 1230: 1199: 826: 1368: 935: 853: 759: 732: 1524: 1188: 661: 594: 440: 72: 1398: 1254: 1085: 747: 96: 1861: 1539: 1374: 1158: 522: 226: 1302: 1183: 895: 604: 553: 548: 150: 1801: 1673: 701: 517: 1811: 1806: 1703: 1332: 1095: 1021: 711: 512: 135: 118: 1851: 1816: 1698: 1668: 1272: 1128: 486: 450: 92: 1846: 1841: 1744: 1519: 1168: 1105: 980: 429: 1754: 1729: 1693: 1621: 1534: 1529: 1173: 965: 875: 579: 1493: 1488: 1178: 1163: 1153: 1148: 1080: 1055: 1050: 1045: 990: 445: 88: 51: 1835: 1616: 1075: 1034: 1030: 1026: 107: 35: 1560: 1514: 1314: 1278: 1133: 1123: 1016: 1011: 1006: 880: 696: 625: 111: 76: 134:
which redirected to websites that had software that Careto could exploit, such as
1796: 1786: 1734: 1642: 1586: 1498: 1447: 1308: 1138: 865: 496: 1739: 1724: 1652: 1442: 1392: 1296: 1248: 1224: 1212: 1070: 995: 985: 975: 960: 920: 845: 476: 180:
as far back as 2007. It is now known that the attacks ceased in January 2014.
68: 1770: 1647: 1611: 1601: 1473: 1290: 1040: 970: 910: 471: 47: 1678: 1606: 1591: 1410: 1386: 1260: 1242: 1143: 1065: 900: 885: 785: 764: 543: 177: 158: 131: 100: 42:
Because of the focus on Spanish-speaking victims, the heavy targeting of
1708: 1581: 1544: 1478: 1457: 1427: 1380: 1362: 1284: 1218: 1000: 915: 905: 890: 350: 162: 43: 31: 1791: 1683: 1637: 1452: 1266: 1236: 1115: 1100: 930: 769: 481: 333:"Unveiling 'The Mask': Sophisticated malware ran rampant for 7 years" 249:"Unveiling 'The Mask': Sophisticated malware ran rampant for 7 years" 1416: 1356: 1326: 635: 173:
was discovered on the C&C servers, but no samples were found.
154: 55: 1688: 1483: 727: 354: 170: 87:
Careto is hard to discover and remove because of its use of
106:
Careto was discovered when it made attempts to circumvent
667:
Hollywood Presbyterian Medical Center ransomware incident
227:""The Mask" Espionage Malware - Schneier on Security" 165:. Evidence of a possible fourth type of backdoor to 1779: 1763: 1717: 1661: 1630: 1574: 1553: 1507: 1466: 1435: 1426: 1197: 1114: 944: 844: 804: 778: 720: 654: 613: 567: 531: 505: 459: 422: 415: 242: 240: 121:can discover and successfully remove the malware. 297:"The Careto/Mask APT: Frequently Asked Questions" 291: 289: 287: 114:were placed on the command and control servers. 707:Russian interference in the 2016 U.S. elections 366: 91:. In addition, most of the samples have been 26:(Spanish slang for "face"), sometimes called 20: 8: 677:Democratic National Committee cyber attacks 1432: 621:Office of Personnel Management data breach 419: 373: 359: 351: 189: 79:keys and other communication channels. 247:Lucian Constantin (11 February 2014). 54:speculates that Careto is operated by 195: 193: 176:It is estimated that Careto has been 149:The malware is said to have multiple 7: 16:Espionage malware discovered in 2014 672:Commission on Elections data breach 14: 832:Jeff Bezos phone hacking incident 1405:Microarchitectural Data Sampling 641:Ukrainian Power Grid Cyberattack 549:Cyberterrorism attack of June 25 753:2017 Ukraine ransomware attacks 590:2014 JPMorgan Chase data breach 585:2014 celebrity nude photo leak 1: 822:Bulgarian revenue agency hack 600:Russian hacker password theft 956:Bangladesh Black Hat Hackers 432:(publication of 2009 events) 817:Baltimore ransomware attack 1878: 1091:Tailored Access Operations 738:WannaCry ransomware attack 631:Ashley Madison data breach 575:Anthem medical data breach 492:PlayStation network outage 117:Currently most up-to-date 30:, is a piece of espionage 827:WhatsApp snooping scandal 692:Indian Bank data breaches 386: 1369:Speculative Store Bypass 936:Ukrainian Cyber Alliance 733:2017 Macron e-mail leaks 743:Westminster data breach 662:Bangladesh Bank robbery 605:2014 Yahoo! data breach 595:2014 Sony Pictures hack 554:2013 Yahoo! data breach 539:South Korea cyberattack 441:Operation Olympic Games 436:Australian cyberattacks 73:virtual private network 46:, and the targeting of 1086:Syrian Electronic Army 796:SingHealth data breach 559:Singapore cyberattacks 497:RSA SecurID compromise 21: 1375:Lazy FP state restore 1159:Kristoffer von Hassel 812:Sri Lanka cyberattack 682:Vietnam Airport Hacks 523:Operation High Roller 83:Detection and removal 1321:Silent Bob is Silent 381:Hacking in the 2010s 89:stealth capabilities 75:configurations, and 1255:SS7 vulnerabilities 791:Atlanta cyberattack 760:Equifax data breach 518:Stratfor email leak 467:Canadian government 446:Operation ShadowNet 299:. 10 February 2014. 207:on 21 February 2014 140:The Washington Post 132:spear phishing link 1704:Petya and NotPetya 1333:ROCA vulnerability 1096:The Shadow Brokers 1022:Iranian Cyber Army 948:persistent threats 748:Petya and NotPetya 712:2016 Bitfinex hack 687:DCCC cyber attacks 646:SWIFT banking hack 313:. 10 February 2014 136:Adobe Flash Player 119:antivirus software 1857:2014 in computing 1829: 1828: 1825: 1824: 1817:ZeroAccess botnet 1129:Mustafa Al-Bassam 896:New World Hackers 859:associated events 840: 839: 636:VTech data breach 487:Operation AntiSec 451:Operation Payback 410: 409: 1869: 1433: 1106:Yemen Cyber Army 430:Operation Aurora 420: 389: 388: 375: 368: 361: 352: 345: 344: 342: 340: 329: 323: 322: 320: 318: 307: 301: 300: 293: 282: 281: 279: 278: 269:. Archived from 263: 257: 256: 244: 235: 234: 223: 217: 216: 214: 212: 203:. Archived from 197: 93:digitally signed 24: 1877: 1876: 1872: 1871: 1870: 1868: 1867: 1866: 1832: 1831: 1830: 1821: 1775: 1759: 1713: 1657: 1626: 1570: 1549: 1503: 1462: 1422: 1202: 1200:vulnerabilities 1193: 1110: 1003:(confederation) 966:Charming Kitten 947: 940: 876:Goatse Security 836: 800: 774: 765:Deloitte breach 716: 702:Dyn cyberattack 650: 609: 580:Operation Tovar 563: 527: 501: 455: 416:Major incidents 411: 382: 379: 349: 348: 338: 336: 331: 330: 326: 316: 314: 309: 308: 304: 295: 294: 285: 276: 274: 265: 264: 260: 246: 245: 238: 225: 224: 220: 210: 208: 199: 198: 191: 186: 144:The Independent 127: 85: 64: 17: 12: 11: 5: 1875: 1873: 1865: 1864: 1859: 1854: 1849: 1844: 1834: 1833: 1827: 1826: 1823: 1822: 1820: 1819: 1814: 1809: 1804: 1799: 1794: 1789: 1783: 1781: 1777: 1776: 1774: 1773: 1767: 1765: 1761: 1760: 1758: 1757: 1752: 1747: 1742: 1737: 1732: 1727: 1721: 1719: 1715: 1714: 1712: 1711: 1706: 1701: 1696: 1691: 1686: 1681: 1676: 1671: 1665: 1663: 1659: 1658: 1656: 1655: 1650: 1645: 1640: 1634: 1632: 1628: 1627: 1625: 1624: 1619: 1614: 1609: 1604: 1599: 1594: 1589: 1587:Black Energy 3 1584: 1578: 1576: 1572: 1571: 1569: 1568: 1563: 1557: 1555: 1551: 1550: 1548: 1547: 1542: 1537: 1532: 1527: 1522: 1517: 1511: 1509: 1505: 1504: 1502: 1501: 1496: 1494:Metulji botnet 1491: 1486: 1481: 1476: 1470: 1468: 1464: 1463: 1461: 1460: 1455: 1450: 1448:Black Energy 2 1445: 1439: 1437: 1430: 1424: 1423: 1421: 1420: 1414: 1408: 1402: 1396: 1390: 1384: 1378: 1372: 1366: 1360: 1354: 1348: 1342: 1336: 1330: 1324: 1318: 1312: 1306: 1303:Broadcom Wi-Fi 1300: 1294: 1288: 1282: 1276: 1270: 1264: 1258: 1252: 1246: 1240: 1234: 1228: 1222: 1216: 1209: 1207: 1195: 1194: 1192: 1191: 1186: 1181: 1176: 1171: 1166: 1164:Junaid Hussain 1161: 1156: 1154:Jeremy Hammond 1151: 1149:Elliott Gunton 1146: 1141: 1136: 1131: 1126: 1120: 1118: 1112: 1111: 1109: 1108: 1103: 1098: 1093: 1088: 1083: 1081:Stealth Falcon 1078: 1073: 1068: 1063: 1058: 1056:PLA Unit 61486 1053: 1051:PLA Unit 61398 1048: 1046:Numbered Panda 1043: 1038: 1024: 1019: 1014: 1009: 1004: 998: 993: 991:Equation Group 988: 983: 978: 973: 968: 963: 958: 952: 950: 942: 941: 939: 938: 933: 928: 923: 918: 913: 908: 903: 898: 893: 888: 883: 878: 873: 868: 863: 862: 861: 850: 848: 842: 841: 838: 837: 835: 834: 829: 824: 819: 814: 808: 806: 802: 801: 799: 798: 793: 788: 782: 780: 776: 775: 773: 772: 767: 762: 757: 756: 755: 745: 740: 735: 730: 724: 722: 718: 717: 715: 714: 709: 704: 699: 694: 689: 684: 679: 674: 669: 664: 658: 656: 652: 651: 649: 648: 643: 638: 633: 628: 623: 617: 615: 611: 610: 608: 607: 602: 597: 592: 587: 582: 577: 571: 569: 565: 564: 562: 561: 556: 551: 546: 541: 535: 533: 529: 528: 526: 525: 520: 515: 509: 507: 503: 502: 500: 499: 494: 489: 484: 482:HBGary Federal 479: 474: 469: 463: 461: 457: 456: 454: 453: 448: 443: 438: 433: 426: 424: 417: 413: 412: 408: 407: 401: 396: 387: 384: 383: 380: 378: 377: 370: 363: 355: 347: 346: 324: 302: 283: 258: 236: 218: 188: 187: 185: 182: 126: 123: 84: 81: 63: 60: 52:Bruce Schneier 34:discovered by 15: 13: 10: 9: 6: 4: 3: 2: 1874: 1863: 1860: 1858: 1855: 1853: 1850: 1848: 1845: 1843: 1840: 1839: 1837: 1818: 1815: 1813: 1810: 1808: 1805: 1803: 1800: 1798: 1795: 1793: 1790: 1788: 1785: 1784: 1782: 1778: 1772: 1769: 1768: 1766: 1762: 1756: 1753: 1751: 1748: 1746: 1743: 1741: 1738: 1736: 1733: 1731: 1728: 1726: 1723: 1722: 1720: 1716: 1710: 1707: 1705: 1702: 1700: 1697: 1695: 1692: 1690: 1687: 1685: 1682: 1680: 1677: 1675: 1672: 1670: 1667: 1666: 1664: 1660: 1654: 1651: 1649: 1646: 1644: 1641: 1639: 1636: 1635: 1633: 1629: 1623: 1620: 1618: 1617:Gameover ZeuS 1615: 1613: 1610: 1608: 1605: 1603: 1600: 1598: 1595: 1593: 1590: 1588: 1585: 1583: 1580: 1579: 1577: 1573: 1567: 1564: 1562: 1559: 1558: 1556: 1552: 1546: 1543: 1541: 1538: 1536: 1533: 1531: 1528: 1526: 1523: 1521: 1518: 1516: 1513: 1512: 1510: 1506: 1500: 1497: 1495: 1492: 1490: 1487: 1485: 1482: 1480: 1477: 1475: 1472: 1471: 1469: 1465: 1459: 1456: 1454: 1451: 1449: 1446: 1444: 1441: 1440: 1438: 1434: 1431: 1429: 1425: 1418: 1415: 1412: 1409: 1406: 1403: 1400: 1397: 1394: 1391: 1388: 1385: 1382: 1379: 1376: 1373: 1370: 1367: 1364: 1361: 1358: 1355: 1352: 1349: 1346: 1343: 1340: 1337: 1334: 1331: 1328: 1325: 1322: 1319: 1316: 1313: 1310: 1307: 1304: 1301: 1298: 1295: 1292: 1289: 1286: 1283: 1280: 1277: 1274: 1271: 1268: 1265: 1262: 1259: 1256: 1253: 1250: 1247: 1244: 1241: 1238: 1235: 1232: 1229: 1226: 1223: 1220: 1217: 1214: 1211: 1210: 1208: 1206: 1201: 1196: 1190: 1187: 1185: 1182: 1180: 1177: 1175: 1172: 1170: 1167: 1165: 1162: 1160: 1157: 1155: 1152: 1150: 1147: 1145: 1142: 1140: 1137: 1135: 1132: 1130: 1127: 1125: 1122: 1121: 1119: 1117: 1113: 1107: 1104: 1102: 1099: 1097: 1094: 1092: 1089: 1087: 1084: 1082: 1079: 1077: 1076:Rocket Kitten 1074: 1072: 1069: 1067: 1064: 1062: 1059: 1057: 1054: 1052: 1049: 1047: 1044: 1042: 1039: 1036: 1032: 1028: 1027:Lazarus Group 1025: 1023: 1020: 1018: 1015: 1013: 1010: 1008: 1005: 1002: 999: 997: 994: 992: 989: 987: 984: 982: 979: 977: 974: 972: 969: 967: 964: 962: 959: 957: 954: 953: 951: 949: 943: 937: 934: 932: 929: 927: 924: 922: 919: 917: 914: 912: 909: 907: 904: 902: 899: 897: 894: 892: 889: 887: 884: 882: 879: 877: 874: 872: 869: 867: 864: 860: 857: 856: 855: 852: 851: 849: 847: 843: 833: 830: 828: 825: 823: 820: 818: 815: 813: 810: 809: 807: 803: 797: 794: 792: 789: 787: 784: 783: 781: 777: 771: 770:Disqus breach 768: 766: 763: 761: 758: 754: 751: 750: 749: 746: 744: 741: 739: 736: 734: 731: 729: 726: 725: 723: 719: 713: 710: 708: 705: 703: 700: 698: 695: 693: 690: 688: 685: 683: 680: 678: 675: 673: 670: 668: 665: 663: 660: 659: 657: 653: 647: 644: 642: 639: 637: 634: 632: 629: 627: 624: 622: 619: 618: 616: 612: 606: 603: 601: 598: 596: 593: 591: 588: 586: 583: 581: 578: 576: 573: 572: 570: 566: 560: 557: 555: 552: 550: 547: 545: 544:Snapchat hack 542: 540: 537: 536: 534: 530: 524: 521: 519: 516: 514: 513:LinkedIn hack 511: 510: 508: 504: 498: 495: 493: 490: 488: 485: 483: 480: 478: 475: 473: 470: 468: 465: 464: 462: 458: 452: 449: 447: 444: 442: 439: 437: 434: 431: 428: 427: 425: 421: 418: 414: 406: → 405: 402: 400: 397: 395: 392:←  391: 390: 385: 376: 371: 369: 364: 362: 357: 356: 353: 334: 328: 325: 312: 306: 303: 298: 292: 290: 288: 284: 273:on 2014-02-21 272: 268: 262: 259: 254: 250: 243: 241: 237: 232: 228: 222: 219: 206: 202: 196: 194: 190: 183: 181: 179: 174: 172: 168: 164: 160: 156: 152: 147: 145: 141: 137: 133: 124: 122: 120: 115: 113: 109: 104: 102: 98: 94: 90: 82: 80: 78: 74: 70: 61: 59: 57: 53: 49: 45: 40: 37: 36:Kaspersky Lab 33: 29: 25: 23: 1862:Cyberwarfare 1596: 1561:CryptoLocker 1315:DoublePulsar 1134:Cyber Anakin 1124:Ryan Ackroyd 1017:Helix Kitten 1012:Hacking Team 1007:Guccifer 2.0 881:Lizard Squad 697:Surkov leaks 626:Hacking Team 337:. Retrieved 327: 315:. Retrieved 311:"Securelist" 305: 275:. Retrieved 271:the original 261: 252: 231:schneier.com 230: 221: 209:. Retrieved 205:the original 175: 148: 143: 139: 128: 125:Distribution 116: 105: 97:certificates 86: 67:can include 65: 41: 27: 19: 18: 1797:NetTraveler 1735:LogicLocker 1643:Hidden Tear 1540:Red October 1399:Dragonblood 1309:EternalBlue 1273:Stagefright 1139:George Hotz 1116:Individuals 866:CyberBerkut 211:11 February 1836:Categories 1740:Rensenware 1725:BrickerBot 1653:TeslaCrypt 1443:Bad Rabbit 1393:Foreshadow 1297:Cloudbleed 1249:Row hammer 1231:Shellshock 1225:Heartbleed 1213:Evercookie 1189:The Jester 1071:Red Apollo 1031:BlueNorOff 1001:GOSSIPGIRL 996:Fancy Bear 986:Elfin Team 981:DarkMatter 976:Dark Basin 961:Bureau 121 921:Teamp0ison 846:Hacktivism 477:DNSChanger 277:2014-02-11 184:References 69:encryption 1771:VPNFilter 1648:Rombertik 1612:FinFisher 1602:DarkHotel 1566:DarkSeoul 1474:Coreflood 1339:BlueBorne 1291:Dirty COW 1205:disclosed 1203:publicly 1041:NSO Group 971:Cozy Bear 911:PayPal 14 854:Anonymous 728:SHAttered 472:DigiNotar 335:. Pcworld 151:backdoors 112:sinkholes 108:Kaspersky 48:Gibraltar 1852:Rootkits 1812:Titanium 1755:XafeCopy 1750:WannaCry 1679:KeRanger 1607:Duqu 2.0 1592:Carbanak 1411:BlueKeep 1387:SigSpoof 1345:Meltdown 1261:WinShock 1243:Rootpipe 1144:Guccifer 1066:Pranknet 1061:PLATINUM 1035:AndAriel 946:Advanced 901:NullCrew 886:LulzRaft 786:Trustico 399:Timeline 178:compiled 159:Mac OS X 101:Verisign 28:The Mask 1847:Spyware 1842:Malware 1709:X-Agent 1699:Pegasus 1582:Brambul 1545:Shamoon 1489:Kelihos 1479:Alureon 1458:Stuxnet 1428:Malware 1381:TLBleed 1363:Exactis 1351:Spectre 1285:Badlock 1219:iSeeYou 1184:Topiary 916:RedHack 906:OurMine 891:LulzSec 339:2 April 317:3 April 253:PCWorld 167:Android 163:Windows 62:Payload 44:Morocco 32:malware 1792:Joanap 1745:Triton 1684:Necurs 1674:Jigsaw 1669:Hitler 1638:Dridex 1597:Careto 1520:Dexter 1453:SpyEye 1419:(2019) 1413:(2019) 1407:(2019) 1401:(2019) 1395:(2018) 1389:(2018) 1383:(2018) 1377:(2018) 1371:(2018) 1365:(2018) 1359:(2018) 1353:(2018) 1347:(2018) 1341:(2017) 1335:(2017) 1329:(2017) 1323:(2017) 1317:(2017) 1311:(2017) 1305:(2017) 1299:(2017) 1293:(2016) 1287:(2016) 1281:(2016) 1275:(2015) 1269:(2015) 1267:JASBUG 1263:(2014) 1257:(2014) 1251:(2014) 1245:(2014) 1239:(2014) 1237:POODLE 1233:(2014) 1227:(2014) 1221:(2013) 1215:(2010) 1198:Major 1179:Track2 1101:xDedic 931:UGNazi 161:, and 71:keys, 22:Careto 1807:Tinba 1694:Mirai 1622:Regin 1535:Mahdi 1530:Flame 1515:Carna 1499:Stars 1417:Kr00k 1357:EFAIL 1327:KRACK 1279:DROWN 404:2020s 394:2000s 155:Linux 56:Spain 1802:R2D2 1787:Grum 1780:2019 1764:2018 1730:Kirk 1718:2017 1689:MEMZ 1662:2016 1631:2015 1575:2014 1554:2013 1508:2012 1484:Duqu 1467:2011 1436:2010 1174:Sabu 926:TDO 871:GNAA 805:2019 779:2018 721:2017 655:2016 614:2015 568:2014 532:2013 506:2012 460:2011 423:2010 341:2015 319:2015 213:2014 169:and 142:and 1525:FBI 1169:MLT 1033:) ( 171:IOS 153:to 77:SSH 1838:: 286:^ 251:. 239:^ 229:. 192:^ 157:, 146:. 103:. 58:. 50:, 1037:) 1029:( 374:e 367:t 360:v 343:. 321:. 280:. 255:. 233:. 215:.

Index

malware
Kaspersky Lab
Morocco
Gibraltar
Bruce Schneier
Spain
encryption
virtual private network
SSH
stealth capabilities
digitally signed
certificates
Verisign
Kaspersky
sinkholes
antivirus software
spear phishing link
Adobe Flash Player
backdoors
Linux
Mac OS X
Windows
Android
IOS
compiled


"Kaspersky Lab Uncovers "The Mask": One of the Most Advanced Global Cyber-espionage Operations to Date Due to the Complexity of the Toolset Used by the Attackers, 11 February 2014"
the original
""The Mask" Espionage Malware - Schneier on Security"

Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.