Jump to content
 







Main menu
    


Navigation  


Main page
 Contents
 Current events
 Random article
 About Wikipedia
 Contact us
 Donate
  



Contribute  


Help
 Learn to edit
 Community portal
 Recent changes
 Upload file
  







Search  

































Create account

Log in
 









Create account
  Log in
  



Pages for logged out editors learn more  


Contributions
 Talk
  


















Contents

   



(Top)
  


1 Payload  




2 Detection and removal  




3 Distribution  




4 References  













Careto (malware)






Català
 Español
 Português
 Русский
  
Edit links
  








Article
 Talk
  
















Read
 Edit
 View history
  







Tools
    


Actions  


Read
 Edit
 View history
  



General  


What links here
 Related changes
 Upload file
 Special pages
 Permanent link
 Page information
 Cite this page
 Get shortened URL
 Download QR code
 Wikidata item
  



Print/export  


Download as PDF
 Printable version
  















Appearance
    

 





From Wikipedia, the free encyclopedia
  

Careto (Spanish slang for "face"), sometimes called The Mask, is a piece of espionage malware discovered by Kaspersky Lab in 2014. Because of its high level of sophistication and professionalism, and a target list that included diplomatic offices and embassies, Careto is believed to be the work of a nation state.[1] Kaspersky believes that the creators of the malware were Spanish-speaking.[1]

Because of the focus on Spanish-speaking victims, the heavy targeting of Morocco, and the targeting of Gibraltar, Bruce Schneier speculates that Careto is operated by Spain.[2]

Payload

[edit]

Careto normally installs a second and more complex backdoor program called SGH. SGH is easily modifiable and also has a wider arsenal including the ability to intercept system events, file operations, and performing a wider range of surveillance features.[3] The information gathered by SGH and Careto can include encryption keys, virtual private network configurations, and SSH keys and other communication channels.[4]

Detection and removal

[edit]

Careto is hard to discover and remove because of its use of stealth capabilities. In addition, most of the samples have been digitally signed. The signatures are issued from a Bulgarian company, TecSystem Ltd., but the authenticity of the company is unknown. One of the issued certificates was valid between June 28, 2011 and June 28, 2013. Another was valid from April 18, 2013 to July 18, 2016, but was revoked by Verisign.[5]

Careto was discovered when it made attempts to circumvent Kaspersky security products.[6] Upon discovery of Careto trying to exploit their software, Kaspersky started to investigate further. As part of collecting statistics, multiple sinkholes were placed on the command and control servers.[5]

Currently most up-to-date antivirus software can discover and successfully remove the malware.

Distribution

[edit]

On investigation of the command and control servers, discoveries showed that more than 380 victims were infected. From the information that has been uncovered, the victims were infected with the malware by clicking on a spear phishing link which redirected to websites that had software that Careto could exploit, such as Adobe Flash Player. The player has since been patched and is no longer exploitable by Careto. The websites that contained the exploitable software had names similar to popular newspapers, such as The Washington Post and The Independent. [7]

The malware is said to have multiple backdoorstoLinux, Mac OS X, and Windows. Evidence of a possible fourth type of backdoor to Android and IOS was discovered on the C&C servers, but no samples were found. [3]

It is estimated that Careto has been compiled as far back as 2007. It is now known that the attacks ceased in January 2014.[5]

References

[edit]
Look up careto in Wiktionary, the free dictionary.
  1. ^ a b "Kaspersky Lab Uncovers "The Mask": One of the Most Advanced Global Cyber-espionage Operations to Date Due to the Complexity of the Toolset Used by the Attackers, 11 February 2014". Archived from the original on 21 February 2014. Retrieved 11 February 2014.
  • ^ ""The Mask" Espionage Malware - Schneier on Security". schneier.com.
  • ^ a b Lucian Constantin (11 February 2014). "Unveiling 'The Mask': Sophisticated malware ran rampant for 7 years". PCWorld.
  • ^ "Kaspersky Lab Uncovers "The Mask": One of the Most Advanced Global Cyber-espionage Operations to Date Due to the Complexity of the Toolset Used by the Attackers". Archived from the original on 2014-02-21. Retrieved 2014-02-11.
  • ^ a b c "The Careto/Mask APT: Frequently Asked Questions".
  • ^ "Securelist". Retrieved 3 April 2015.
  • ^ "Unveiling 'The Mask': Sophisticated malware ran rampant for 7 years". Pcworld. Retrieved 2 April 2015.

    • Retrieved from "https://en.wikipedia.org/w/index.php?title=Careto_(malware)&oldid=1195634162"
    Categories: 
    Malware
     Spyware
     Rootkits
     2014 in computing
     Cyberwarfare
     Hidden categories: 
    Articles with short description
     Short description is different from Wikidata
     Articles containing Spanish-language text
      


    This page was last edited on 14 January 2024, at 17:38 (UTC).
    Text is available under the Creative Commons Attribution-ShareAlike License 4.0; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy. Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc., a non-profit organization.


    Privacy policy
    About Wikipedia
    Disclaimers
    Contact Wikipedia
    Code of Conduct
    Developers
    Statistics
    Cookie statement
    Mobile view


    Wikimedia Foundation
    Powered by MediaWiki