Posted by: David Harley | February 10, 2014


In Kaspersky looks behind The Mask I commented on Kaspersky’s teaser for its conference revelations about the malware it calls The Mask. The company has now released a hefty 64 page description as a PDF: Unveiling “Careto” – The Masked APT.

The report comments:

What makes “The Mask” special is the complexity of the toolset used by the attackers. This includes an extremely sophisticated malware, a rootkit, a bootkit, 32- and 64-bit Windows versions, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone (Apple iOS).

Symantec has a brief summary in an article by Stephen Doherty on The Mask. And according to a SecurityWeek article, Kaspersky’s Costin Raiu reported that the attackers shut down their operation within four hours of the publication of Kaspersky’s teaser blog.

In case you were wondering, the mysterious “(human) language not usually associated with APTs” turns out to be Spanish.

David Harley
Small Blue-Green World


  1. There seem to be contradictions in Kaspersky’s description of the malware. They claim it exploited problems in Kaspersky 2008 (a PPC based product on the Mac), yet could attack the latest Mac OS (which cannot run PPC based software). They also claim that it modified the Applications Directory which should not be possible (without an Admin Password) on any of the last several version of Mac OS.

    • I haven’t looked in detail at the report yet, still less the malware, but those don’t seem to me to be contradictions. It’s routine for malware to attempt to exploit old vulnerabilities as well as newer stuff, and anyway the malware appears to go back to 2007, and the report reflects that. Requiring authentication on the Apps directory is a Good Thing, but it’s always vulnerable to social engineering, not to mention the occasional bypass exploit. The report does acknowledge that there are gaps in knowledge the current analysis couldn’t address.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: