Archives for 


Careto/Mask APT cyber-espionage operations running and undetected for 7 long years

Warning: Illegal string offset 'filter' in /home/crypton1/public_html/ on line 1409

Its almost sounded unbelievable when Kaspersky research published a cyber espionage APT campaign MASK (Careto) that’s been running in the wild since 2007, undetected, targeting 31 countries.   The complexity of the tools used for MAST by the attackers are very sophisticated which makes its very special. This includes an extremely sophisticated piece of malware, a rootkit, a bootkit for Windows, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone (iOS).

The name “Mask” comes from the Spanish slang word “Careto” (“Ugly Face” or “Mask”) which the authors included in some of the malware modules. – Kaspersky

The targets of Careto includes Government institutions, Diplomatic offices and embassies, Energy, oil and gas companies, Research institutions, Private equity firms and Activists.

Kaspersky observed more than 1000 IP’s infected  in 31 countries. Although the exact number is not known.

The countries that infections were observed were Algeria, Argentina, Belgium, Bolivia, Brazil, China, Colombia, Costa Rica, Cuba, Egypt, France, Germany, Gibraltar, Guatemala, Iran, Iraq, Libya, Malaysia, Mexico, Morocco, Norway, Pakistan, Poland, South Africa, Spain, Switzerland, Tunisia, Turkey, United Kingdom, United States and Venezuela.












How does Careto work ?

The malware intercepts all the communication channels and collects the most vital information from the infected system. Detection is extremely difficult because of stealth rootkit capabilities. In addition to built-in functionalities, the operators of Careto can upload additional modules which can perform any malicious task. Given the nature of the known victims, the impact is potentially very high.

Propagation :

Careto is spread by spear-phishing e-mails with links to a malicious websites. The exploits on the malacious websites are designed to infect the clean visitor, depending on his computer configuration( Windows, Mac or browser specific). Once the user is infected , the malicious website redirects the user to genuine site which may be google or any news portal.

Attack Vectors :  There has been multiple vectors responsible for the attack. Howver Adobe exploit for flash players has been dominant. (CVE-2012-0773)

CVE-2012-0773  was the first exploit to break the Chrome sandbox and was used to win the CanSecWest Pwn2Own contest in 2012. The exploit caused a bit of a controversy because the VUPEN team refused to reveal how they escaped the sandbox, claiming they were planning to sell the exploit to their customers. It is possible that the Careto threat actor purchased this exploit from VUPEN.(See story by Ryan Naraine) – Kaspersky

Post Infection :

Upon infection, the malware collects a large list of documents from the infected computer, includs encryption keys, VPN configurations, SSH keys and RDP data. Multiple unknown extensions being monitored that we have not been able to identify and could be related to custom military/government-level encryption tools.

The full list of files that was analysed were:


A paper was published and is available here

Info-graphic :                                                                                                


Share Button

Adobe released Emergency Flash Player update for critical zero day threat – CVE-2014-0497

Warning: Illegal string offset 'filter' in /home/crypton1/public_html/ on line 1409
Adobe released an emergency patch for a critical vulnerability affecting Flash Player for Windows, Linux and OS X, the exploitation of which can result in an attacker gaining remote control of the compromised systems. The security flaw exists in Adobe Flash Player and earlier versions  Adobe thanks Alexander Polyakov and Anton Ivanov of Kaspersky Labs […]
Share Button
Continue reading →

High Critical Remote Command Execution vulnerability – Apache Struts 2.x OGNL Vulnerability CVE-2013-2251 explianed

Warning: Illegal string offset 'filter' in /home/crypton1/public_html/ on line 1409
The Remote Code Execution vulnerability Apache Structs 2.x which was discovered July 17th appears to be seen more often as reported by sans last week. A bulletin detailing exploit attempts targeting this vulnerability has  been seen lately by sans. The CVE identified for this issue is  CVE-2013-2251.  It’s a high critical remote code execution which […]
Share Button
Continue reading →

Privilege escalation Linux – CVE-2013-2094

Warning: Illegal string offset 'filter' in /home/crypton1/public_html/ on line 1409
The perf_swevent_init function in kernel/events/core.c in the Linux kernel before 3.8.9 uses an incorrect integer data type, which allows local users to gain privileges via a crafted perf_event_open system call. A vulnerability was discovered using fuzzing in linux kernels 2.6.37 till 3.8.9. The vulenrability requires the kernel to be compiled with PERF_EVENTS, but unfortunately that seems […]
Share Button
Continue reading →