Skip to content

Sophisticated Careto Virus Discovered - Attackers infect via Phishing

Posted by Geraldine Hunt on Tue, Feb 18th, 2014

Security researchers and antivirus software developers at  Kaspersky (which is one of the anti virus solutions included with SpamTitan anti spam), this week found the Careto virus.  This virus was lurking in the same place as a related virus found a few years ago. Kaspersky published a detailed forensic report to explain what they found. Some of this forensics you could have done yourself; other is much more complex.  For example, they use the Linux program “strings” to extract text from the executable file.  There they found comments and instructions that the programmer had written in Spanish, plus the name of the virus itself: Careto.

Servers used by attackers revealed 380+ victims from 31 countries. 

Kaspersky says this Spanish word means “ugly face” or “mask”.  According to Kaspersky ‘What makes The Mask special is the complexity of the toolset used by the attackers. This includes an extremely sophisticated malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iOS (iPad/iPhone)’. It’s believed that some foreign government paid to develop the virus, because it works on so many systems, suggesting a large team and much effort.  Data found by investigating and monitoring a set of command-and-control (C&C) servers used by the attackers revealed more than 380 unique victims from 31 countries. The main targets were government organisations including embassies, energy, oil and gas companies, research institutions, and activist’s and private equity firms.

Careto spreads using phishing. If you clicked on a mail containing their malicious link, you would have been sent to mock-up copies of El Pais, The Washington Post, El Especatdor, El Mundo, and Publico newpapers.  The actual link is hidden.  It says, for example: elpais.linkconf(dot)net.  Careto infected some computers by exploiting a weakness in the 2012 version of Adobe Flash (Flash is used to display video in certain web pages.). The other attack was made by hiding an executable program in an otherwise harmless .jpeg picture file.  The names are: dinner.jpg, waiter.jpg, and chef.jpg.  

For victims a Catero malware infection spells disaster.

The virus intercepts all communication channels and collects information from the victim’s machine.Once installed, the virus steals encryption keys, records Skype calls, transcribes what you type, and listens in on data coming to and from your device. It then sends these stolen passwords, email addresses, and bank account numbers, and other secrets to a set of command and control servers, controlled by the hackers.  One of these was found running inside a SoftLayer data centre, a cloud-service provider.

 Detection is difficult because of stealth rootkit capabilities, built-in functionalities and additional cyber-espionage modules. Having made their discovery, Kaspersky was able to follow the virus’s forensic clues to show what computers were affected and provide lots of details about where the virus came from.  Kaspersky Lab’s products detects and removes all known versions of The Mask/Careto malware so you are safe from Careto when using SpamTitan anti spam.

Related Articles

Never Miss a Blog Post

Sign-up for email updates...

Get Your 14 Day Free Trial

Talk to Our Email and DNS Security Team

Call us on US +1 813 304 2544

Contact Us