The VICE Channels

    This Very Complex Malware Has Been Spreading Since 2007, and It's Not Clear Where It Came From

    Written by

    Derek Mead


    Where Careto got its name. Image: Kaspersky

    A surprisingly sophisticated malware named Careto has been infecting computers globally since at least 2007, a new report from security firm Kaspersky revealed today. While the virus, also known as The Mask, appears to have originated in a Spanish-speaking country—careto, a Spanish slang term for an ugly face, was found in the code—it's so complex that it's not clear the average hacker could have built it.

    According to Kaspersky's report, Careto is definitely aimed at power brokers—government and diplomatic targets, private companies (especially in the energy sector), research institutions, private equity firms, and activists—and 380 victims with over 1000 IP addresses in 31 countries have been found so far. 

    Aside from its targets, the truly notable thing about the virus is how flexible it is. The researchers write that it "includes an extremely sophisticated malware, a rootkit, a bootkit, 32- and 64-bit Windows versions, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone (Apple iOS)." Once a system is infected, Careto can access network traffic, log keystrokes, record Skype conversations, and hunt around for files—most notably PGP keys.

    As you might expect based on the targets, finding sensitive data appears to be Careto's specialty, "including 
    encryption keys, VPN configurations, SSH keys and RDP files," the report states. "There are also several extensions being monitored that we have not been able to identify and could be related to custom military/government-level encryption tools."

    Kasperky's researchers say the first Careto attack they uncovered was a spear phishing email campaign that used exploit websites that masked as subdomains of popular Spanish and international news websites, including the Washington Post and Politico. From there, Careto takes advantage of at least three different backdoors across Windows and OS X, with "traces" of others, including backdoors for Linux and mobile operating systems, noted but not confirmed by the researchers. 

    With a high-powered virus, the obvious question is where it came from. To that end, the answer seems fairly obvious, if extremely difficult to prove: Careto is quite possibly the work of a nation-state. 

    “Several reasons make us believe this could be a nation-state sponsored campaign. First of all, we observed a very high degree of professionalism in the operational procedures of the group behind this attack. From infrastructure management, shutdown of the operation, avoiding curious eyes through access rules and using wiping instead of deletion of log files," Costin Raiu, the director of Kaspersky's Global Research and Analysis Team, said in a release.
    “This level of operational security is not normal for cyber-criminal groups.”

    It is, however, to be expected of state-sponsored attackers, who have the money to spend on sophisticated tools, and all the reasons in the world not to get caught. We all remember Stuxnet, which was likely created by a nation-state, as well as Duqu, which was the baddest on the block until Careto came around. But beyond knowing that someone official likely built Careto, it's hard to tell where it came from—although Spanish-language viruses of this nature are apparently pretty rare. In any case, there's one clear truth: the cyber-espionage sector is continually gathering steam.