Modern malware campaigns use classic techniques, despite claims of sophistication.
According to researchers at Context Information Security, there are classic virus techniques at the heart of The Mask, or Careto, espionage malware. Despite being described by Kaspersky as one of the “most advanced global cyber-espionage operations to date” and widely attributed to sophisticated, state sponsored cyber attacks, Context claimed that the malware appears to rely on technology plucked out of the history books.
Kevin O’Reilly, senior researcher at Context, said: “While hidden in the complexity of the malware, Careto/The Mask uses the well-known technique of infecting the first executable that loads when Windows boots.
“This discovery seems to suggest that old tricks are sometimes the best and also begs the question; is this a nod of respect to the virus writers who wreaked havoc in the 1990s, or have they come out of retirement to develop a new nation-state cyber-weaponry arsenal?”
When it was announced in February by Kaspersky Lab, it was said to have been active over the past seven years and targets Government institutions, diplomatic offices and embassies, energy, oil and gas companies, research organisations and activists in more than 31 countries. An intelligence-gathering piece of malware, it collects office documents, various encryption keys, VPN configurations, SSH keys (serving as a means of identifying a user to an SSH server) and RDP files (used by the Remote Desktop Client to automatically open a connection to the reserved computer).
The Mask uses multiple vectors for attack, including at least one Adobe Flash Player exploit from 2012. Kaspersky said that what makes The Mask special is the complexity of the toolset and a customised attack against older Kaspersky products in order to hide in the system.
In defence of its research, David Emm, senior regional researcher, UK of the Kaspersky Lab Global Research & Analysis Team, told IT Security Guru that Kaspersky stands by its assessment of this malware as ‘one of the most advanced threats at the current time’, notwithstanding any ‘old school’ technique used in one aspect of the malware.
He said: “I don’t think the strategy of infecting files – or executable code loaded from a system sector – that load early in the boot process ever disappeared. The series of ‘bootkits’ we’ve seen in recent years (e.g. Sinowal) testifies to this.
“The Context comment calls to mind Eugene’s comments at the time that MiniDuke appeared– specifically relating to the inclusion of old school code reminiscent of the 29A group.”
O’Reilly also said that now that this malware campaign has been discovered, anti-virus vendors have added detection to their products, so it is no longer a real risk. “The historical attack vector was targeted phishing emails or spear phishing with infected attachments, but is unlikely that this is still happening using this specific toolset. What is unclear is whether this is a one off or a trend to watch out for.”
