This Crazy-Advanced Malware Has Been Infecting Governments Since 2007
Dubbed "Careto," after the Spanish slang for "mask" or "ugly face" that appears in some of its code, the virus relies on spearphishing emails containing malicious links disguised as subdomains of well-known news websites including The Washington Post and The Guardian . After infection, the malicious links just redirect to the benign sites referenced in the email to cover up the tracks.
Once downloaded, Careto collects a huge variety of documents from the infected system, with an eye toward sensitive or specialized data: encryption keys, VPN configurations, SSH keys and whatnot. And it doesn't stop there: Kaspersky says "there are also several unknown extensions being monitored [by the malware] that we have not been able to identify and could be related to custom military/government-level encryption tools." From a security standpoint, infection is disastrous: Careto can access network traffic and record keystrokes and Skype conversations, among many other capabilities.
Careto's complexity and high level of refinement indicate it wasn't thrown together by a basement hacker. It's one of the most advanced threats Kasperksy has ever seen, besting even
the famously cryptic Duqu Trojan
While the full extent of Careto's reach is unknown, Kaspersky identified victims at over 1,000 IP addresses in 31 countries, mainly targeting government institutions, diplomatic offices, and powerful private companies, particularly in the oil and gas industries.
So which state-sponsored hacker group is behind it? Nobody really knows. Kaspersky points out that the use of Spanish slang in the program doesn't really pinpoint a geographic region-and besides, it could very well be a purposeful distraction.
And while it's currently inactive (the