A sophisticated cyber spying operation, The Mask, that has been under the radar for about 7 years and targeted approximately 31 countries, has now been unmasked by researchers at Kaspersky Labs.
Researchers believe the campaign has been active since 2007 and is a highly sophisticated nation-state spying tool targeting government agencies, diplomatic offices, embassies, private companies, and activists.
In the report published by Kaspersky, over 380 unique victims were identified.
The name "Mask" comes from the Spanish slang word "Careto," meaning "Ugly Face" or "Mask," which was found in several malware modules.
Developers of The Mask (aka Careto) used a complex toolset, including advanced malware, bootkits, and rootkits capable of:
- Sniffing encryption keys
- Intercepting VPN configurations, SSH keys, and RDP files
- Monitoring network traffic, keystrokes, Skype conversations, Wi-Fi traffic
- Capturing screens and tracking file operations
The malware specifically targeted files with the following extensions:
*.AKF, *.ASC, *.AXX, *.CFD, *.CFE, *.CRT, *.DOC, *.DOCX, *.EML, *.ENC, *.GMG, *.GPG, *.HSE, *.KEY, *.M15, *.M2F, *.M2O, *.M2R, *.MLS, *.OCFS, *.OCU, *.ODS, *.ODT, *.OVPN, *.P7C, *.P7M, *.P7Z, *.PAB, *.PDF, *.PGP, *.PKR, *.PPK, *.PSW, *.PXL, *.RDP, *.RTF, *.SDC, *.SDW, *.SKR, *.SSH, *.SXC, *.SXW, *.VSD, *.WAB, *.WPD, *.WPS, *.WRD, *.XLS, *.XLSX
Victims were identified in countries including Algeria, Argentina, Belgium, Brazil, China, Egypt, France, Germany, Iran, Libya, Mexico, Spain, United Kingdom, United States, and more.
The malware could infect devices running Windows, Mac OS X, Linux, iPad/iPhone, and Android.
A critical component found was a CAB file containing shlink32 and shlink64.dll. The malware extracts and installs the appropriate file depending on the system architecture.
Another backdoor module called SGH performed extensive surveillance functions, while modules like DINNER and SBD handled network connectivity and logical operations.
To infect Linux, the malware used a Firefox plugin named "af_l_addon.xpi," hosted on "linkconf.net."
Spear phishing was the primary delivery method, where victims were lured to malicious websites hosting exploits. Attackers used fake SSL certificates and mimicked legitimate domains like newspapers.
Kaspersky researchers found C&C communication protected with double encryption—AES and RSA—highlighting the sophistication of this campaign.
"The Mask malware's C&C channel is protected by two layers of encryption: AES for temporary keys and RSA for secure communication. This double encryption demonstrates a high level of sophistication."
During Kaspersky's investigation, the C&C servers were found offline, suggesting that attackers were monitoring their malware activity closely.
The authors and origin of The Mask remain unidentified, leaving the investigation open.
