The Careto malware has been running around quietly, doing its work undercover for nearly seven years before being discovered. In fact, security firm Kaspersky Labs did introduce a research paper which uncovered the existence of Careto, which managed to remain undetected all this while since it has proven to be a highly complex malware. Known as “The Mask” in English (based on a loose translation) , Careto will snoop around high-level targets such as government institutions, embassies and large energy corporations. According to Kaspersky in a PDF file, “The Mask” has quite an extensive reach, claiming nearly 380 unique victims already with over 1,000 IPs along the way across 31 countries. Some of these countries would include the movers and shakers of the world, such as China, France, Germany, the UK and the U.S.
Kaspersky originally spotted Careto in a spear phishing email campaign, where this campaign hopes to entice the recipient over to malicious websites that have been disguised as news sites such as The Guardian and the Washington Post. As for the authors, they do seem to be native in the Spanish language.
This particular campaign was active for at least five years until January this year, since some Careto samples were compiled in 2007. Throughout the entire effort put in by Kaspersky Lab’s investigations, the command-and-control (C&C) servers were actually shut down. Infections have happened in Algeria, Argentina, Belgium, Bolivia, Brazil, China, Colombia, Costa Rica, Cuba, Egypt, France, Germany, Gibraltar, Guatemala, Iran, Iraq, Libya, Malaysia, Mexico, Morocco, Norway, Pakistan, Poland, South Africa, Spain, Switzerland, Tunisia, Turkey, United Kingdom, United States and Venezuela. While there are different attack vectors used, one of them would be the Adobe Flash Player exploit (CVE-2012-0773). [Press Release]
Filed in Malware.. Read more about