Careto (malware)
   HOME

TheInfoList



Click Here for Items Related To - Careto (malware)
OR:
Careto (malware) on:   [Wikipedia]   [Google]   [Amazon]

(Spanish slang for "face"), sometimes called The Mask, is a piece of espionage
malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...
discovered by Kaspersky Lab in 2014. Because of its high level of sophistication and professionalism, and a target list that included diplomatic offices and embassies, Careto is believed to be the work of a nation state. Kaspersky believes that the creators of the malware were Spanish-speaking. Because of the focus on Spanish-speaking victims, the heavy targeting of Morocco, and the targeting of
Gibraltar ) , anthem = " God Save the King" , song = " Gibraltar Anthem" , image_map = Gibraltar location in Europe.svg , map_alt = Location of Gibraltar in Europe , map_caption = United Kingdom shown in pale green , mapsize = , image_map2 = Gib ...
, Bruce Schneier speculates that Careto is operated by Spain.


Payload

Careto normally installs a second and more complex backdoor program called SGH. SGH is easily modifiable and also has a wider arsenal including the ability to intercept system events, file operations, and performing a wider range of surveillance features. The information gathered by SGH and Careto can include encryption keys,
virtual private network A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. The be ...
configurations, and SSH keys and other communication channels.


Detection and removal

Careto is hard to discover and remove because of its use of stealth capabilities. In addition, most of the samples have been
digitally signed A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature, where the prerequisites are satisfied, gives a recipient very high confidence that the message was created b ...
. The signatures are issued from a Bulgarian company, TecSystem Ltd., but the authenticity of the company is unknown. One of the issued certificates was valid between June 28, 2011 and June 28, 2013. Another was valid from April 18, 2013 to July 18, 2016, but was revoked by Verisign. Careto was discovered when it made attempts to circumvent
Kaspersky Kaspersky Lab (; Russian: Лаборатория Касперского, tr. ''Laboratoriya Kasperskogo'') is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in th ...
security products. Upon discovery of Careto trying to exploit their software, Kaspersky started to investigate further. As part of collecting statistics, multiple sinkholes were placed on the command and control servers. Currently most up-to-date antivirus software can discover and successfully remove the malware.


Distribution

On investigation of the command and control servers, discoveries showed that more than 380 victims were infected. From the information that has been uncovered, the victims were infected with the malware by clicking on a spear phishing link which redirected to websites that had software that Careto could exploit, such as Adobe Flash Player. The player has since been patched and is no longer exploitable by Careto. The websites that contained the exploitable software had names similar to popular newspapers, such as ''The Washington Post'' and ''The Independent''. The malware is said to have multiple backdoors to Linux, Mac OS X, and Windows. Evidence of a possible fourth type of backdoor to
Android Android may refer to: Science and technology * Android (robot), a humanoid robot or synthetic organism designed to imitate a human * Android (operating system), Google's mobile operating system ** Bugdroid, a Google mascot sometimes referred to ...
and IOS was discovered on the C&C servers, but no samples were found. It is estimated that Careto has been
compiled In computing, a compiler is a computer program that translates computer code written in one programming language (the ''source'' language) into another language (the ''target'' language). The name "compiler" is primarily used for programs that ...
as far back as 2007. It is now known that the attacks ceased in January 2014.


References

{{Hacking in the 2010s Malware Spyware Rootkits 2014 in computing Cyberwarfare