Events

A Glimpse Behind “The Mask”

The world of APTs is a colorful place. In 2012, we uncovered Flame, a massive cyberespionage operation infiltrating computers in the Middle East. Our research indicated a connection with the wellknown Stuxnet cyberweapon, designed to sabotage the Iranian nuclear program. In early 2013, we announced our research on RedOctober, a cyberespionage operation focusing on diplomatic institutions. In June 2013, we published our research on NetTraveler, and in September, our research on the Kimsuky attacks.

Our analysis of all these different APT operations indicated an unique use of languages, that offer clues regarding some of the people behind these operations. If the comments in the Flame C&C were written in English, artifacts in RedOctober indicated Russian speakers, NetTraveler indicated Chinese natives. Finally, Kimsuky indicated Korean speaking authors, which we linked to North Korea.

During the past months we have been busy analysing yet another sophisticated cyberespionage operation which has been going on at least since 2007, infecting victims in 27 countries. We deemed this operation “The Mask” for reasons to be explained later.

The “Mask” is leveraging high-end exploits, an extremely sophisticated malware which includes a bootkit and rootkit, Mac and Linux versions and a customized attack against Kaspersky products. This is putting them above Duqu in terms of sophistication, making it one of the most advanced threats at the moment.

Most interesting, the authors appears to be native in yet another language which has been observed very rarely in APT attacks.

We will present more details about the “Mask” APT next week at the Kaspersky Security Analyst Summit 2014 (on Twitter, #TheSAS2014).

A Glimpse Behind “The Mask”

Your email address will not be published. Required fields are marked *

 

Reports

Focus on DroxiDat/SystemBC

An unknown actor targeted an electric utility in southern Africa with Cobalt Strike beacons and DroxiDat, a new variant of the SystemBC payload. We speculate that this incident was in the initial stages of a ransomware attack.

APT trends report Q2 2023

This is our latest summary of the significant events and findings, focusing on activities that we observed during Q2 2023.

Meet the GoldenJackal APT group. Don’t expect any howls

GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher.

Subscribe to our weekly e-mails

The hottest research right in your inbox