The Mask malware employs vintage virus techniques

12 June 2014
By Edd Gent
Mobile version
Share |
The Mask malware toolkit uses classic virus writing tricks from the 80s and 90s in its code

The Mask malware toolkit uses classic virus writing tricks from the 80s and 90s in its code

Malware dubbed one of the "most advanced global cyber-espionage operations to date” is using old-school virus techniques, according to new research.

A new family of malware dubbed ‘The Mask’ or ‘Careto’, the Spanish for Mask, was revealed in February by cyber-security company Kaspersky, who said the campaign appeared to be state sponsored and originated from the Spanish-speaking country.

But despite its complex nature, after acquiring samples of the malware, researchers at Context Information Security have uncovered classic techniques at the heart of its code commonly employed by virus writers in the 80s and 90s.

The virus uses a file-appending mechanism to infect the boot process of a system, which Context describes as a trick “straight from the history books”, allowing malicious code to run as soon as the operating system starts loading.

“While hidden in the complexity of the malware, Careto or The Mask use the well know technique of infecting the first executable that loads when Windows boots,” says Kevin O’Reilly, a senior researcher at Context.

“This discovery seems to suggest that old tricks are sometimes the best and also begs the question; is this a nod of respect to the virus writers who wreaked havoc in the 90s or have they come out of retirement to develop a new nation-state cyber-weaponry arsenal?”

The Mask is a wide-ranging malware toolset with a variety of capabilities, including intercepting network traffic from a victim’s PC, keystrokes, Skype conversations, PGP encrypion keys, wireless traffic and file activity.

It also has the capability to harvest a wide range of files from the infected system, including encryption and SSH keys, VPN and remote desktop configurations.

According to Kaspersky it had operated undetected since 2007 targeting government agencies, diplomatic embassies, energy companies, research institutions, private equity firms and activists in 31 countries and had infected more than 380 targets before it stopped operating.

“Now that it has been discovered, anti-virus vendors have added detection to their products so it is no longer a real risk,” says O’Reilly.

“The historical attack vector was targeted phishing emails or spear phishing with infected attachments, but is unlikely that this is still happening using this specific toolset. What is unclear is whether this is a one off or a trend to watch out for.”

Full details of the research are available on Context’s blog.

Latest Issue

E&T cover image 1606

"Where would Frankenstein and his creative mind fit into today's workplace? Should we fear technological developments or embrace them?"

E&T jobs

  • Manufacturing Development & Deployment Engineer

    BAE Systems
    • Preston, England, Lancashire
    • Negotiable

    Manufacturing Development & Deployment Engineer Would you like to help operate within a multi-disciplined environment working closely with TX, FCAS, JSF, Typhoon, Hawk and other projects to develop, deploy and support new leading edge manufacturing pr

    • Recruiter: BAE Systems

    Apply for this job

  • Information Assurance Practitioner

    BAE Systems
    • England, Cumbria, Barrow-In-Furness
    • Negotiable

    Information Assurance PractitionerWould you like to join a world class defence organisation and develop your skills in Information Assurance? We currently have a vacancy for an Information Assurance Practitioner at our site in Barrow-in-Furness, Cumbria.A

    • Recruiter: BAE Systems

    Apply for this job

  • Consultant Engineer - Information Assurance

    BAE Systems
    • Barrow-In-Furness, England, Cumbria
    • Negotiable

    Consultant Engineer - Information AssuranceWould you like to have a strategic influence on the development of Information Assurance (IA) policies for a national nuclear deterrence programme? We currently have a vacancy for a Consultant Engineer - Informat

    • Recruiter: BAE Systems

    Apply for this job

  • Systems Engineer

    National Air Traffic Services
    • Fareham, England, Hampshire
    • Negotiable

    NATS is a leading air navigation services specialist, handling 2.2 million flights in 2013/14, covering the UK and eastern North Atlantic. NATS provides air traffic control from centres at Swanwick, Hampshire and Prestwick, Ayrshire. NATS also provides ai

    • Recruiter: National Air Traffic Services

    Apply for this job

  • Software Engineer

    BAE Systems
    • England, Somerset
    • Negotiable

    Software Engineer Would you like a role which enables you to make a difference to people on the frontline? We currently have a vacancy for a Software Engineer at our site in Yeovil. As a Software Engineer, you will be developing product solutions in Java/

    • Recruiter: BAE Systems

    Apply for this job

  • Software Engineer

    BAE Systems
    • England, Hampshire, Portsmouth
    • Competitive package

    As a Software Engineer, you will be investigating how technology and data can be used to optimise the services we provide to our clients, including the Royal Navy, and will include unique pieces of equipment at the forefront of innovation.

    • Recruiter: BAE Systems

    Apply for this job

  • IM&T Manager - (Product Management)

    BAE Systems
    • England, Barrow-In-Furness, Cumbria
    • Negotiable

    IM&T Manager - (Product Management) We currently have a vacancy for an IM&T Manager - (Product Management) at our site in Barrow. As an IM&T Manager - Product Management you will be working within the planning support group, responsible for a

    • Recruiter: BAE Systems

    Apply for this job

  • Electronics Engineer

    Premium job

    Nikon Metrology Europe
    • Tring, Hertfordshire

    Nikon Metrology is looking for an Electronics Engineer to join our Electronics Team based in Tring (UK).

    • Recruiter: Nikon Metrology Europe

    Apply for this job

  • Electrical Training Officer / NVQ 3 Assessor

    Premium job

    JTL
    • Dorchester, Poole or Bournemouth
    • Circa £29,000

    As a Qualified Electrician, you know what it takes to complete electrical work to exceptional standards of safety and quality.

    • Recruiter: JTL

    Apply for this job

  • Electrical Training Officer / NVQ 3 Assessor

    Premium job

    JTL
    • Norwich, Norfolk
    • Competitive + Pension + Personal BUPA cover

    As a Qualified Electrician, you know what it takes to complete electrical work to exceptional standards of safety and quality.

    • Recruiter: JTL

    Apply for this job

More jobs ▶

Subscribe

Choose the way you would like to access the latest news and developments in your field.

Subscribe to E&T