Modern cyberespionage campaigns are regularly defined by their level of sophistication and professionalism. “The Mask”, a cyberespionage group unveiled by Kaspersky earlier today, is no exception. Symantec’s research into this group shows that The Mask has been in operation since 2007, using highly-sophisticated tools and techniques to compromise, monitor, and exfiltrate data from infected targets. The group uses high-end exploits and carefully crafted emails to lure unsuspecting victims. The Mask has payloads available for all major operating systems including Windows, Linux, and Macintosh.
An interesting aspect of The Mask is the fact that they are targeting the Spanish-speaking world and their tools have been specifically designed for this. The targets appear to reside mainly in Europe and South America.
The longevity of the operation, the access to highly sophisticated tools, and the precise and targeted nature of the victims indicate this is a very professional, well organized team with substantial resources.
Targeting the victim
The Mask typically infects the victim with a highly targeted email. Using the lure of a CV (resume) or political content, the attachments observed have been in the form of malicious PDF or Microsoft Word documents. The following is a sample of some of the attachment names used:
- Inspired By Iceland.doc
- DanielGarciaSuarez_cv_es.pdf
- cv-edward-horgan.pdf
Upon opening the document, the recipient is presented with what looks like a legitimate document, however a malicious remote access Trojan (RAT) is also installed, allowing full remote access to the compromised computer. Once compromised, The Mask can then install additional tools for enhanced persistence and cyberespionage activities.
Cyberespionage – a professional suite
The Mask has a suite of tools at its disposal. One tool in particular distinguishes this group from typical cyber operations. Backdoor.WeevilB, a sophisticated cyberespionage tool that is modular in nature, has a plugin architecture and has a myriad of configuration options. This tool is reminiscent of those associated with other sophisticated campaigns such as Duqu, Flamer, and MiniDuke. However there is no evidence that The Mask is associated with these campaigns.
The default install boasts nearly 20 modules purpose built for intercommunication, network sniffing, activity monitoring, exfiltration, and rootkit capabilities.
Figure. Some of The Mask’s modules
The plugin architecture allows for additional modules to be downloaded and loaded on the fly. The Trojan can log activity in all the major browsers and has a comprehensive list of file extensions to gather information on. The types of documents targeted by the Trojan are:
- Word, PDF, Excel
- Encrypted files, PGP keys, encryption keys
- Mobile backup files
- Email archives
The information can then be securely exfiltrated to attacker controlled servers using the HTTPS protocol.
The data-stealing component provides clues as to The Mask’s targets. It searches for documents in Spanish-language pathnames, for example “archivos de programa”, indicating that their targets are running Spanish-language operating systems.
Conclusion
Cyberespionage campaigns conducted by professional teams are increasingly common. Numerous espionage operations spanning years have been highlighted over the last few years. Examples include Flamer, MiniDuke, and Hidden Lynx. The Mask joins this notorious list but also shows how the targets of these sophisticated campaigns are becoming increasingly diverse. Coinciding with these campaigns has been the emergence of companies who develop tools for use in espionage campaigns. Companies such as Hacking Team and Gamma International provide remote access suites that offer sophisticated surveillance capabilities. All of this serves to highlight how the geographical and technical boundaries of cyberespionage are expanding.
Protection
Symantec has the following detection in place for this threat.
- Backdoor.Weevil
- Backdoor.Weevil.B
- WS.SecRiskOther.1
- WS.Reputation.1
- Trojan.Horse
We also provide network protection with the following Intrusion Prevention Signature:
System Infected: Trojan.Weevil Activity