Kaspersky reveals “The Mask”
Published February 11th, 2014 at 12:30 PM EST , modified February 11th, 2014 at 12:30 PM EST
Last week, Kaspersky posted a rather vague note about new malware they called “The Mask,” which they said was “one of the most advanced threats at the moment.” They withheld further information until yesterday, when they revealed their findings at a Kaspersky-sponsored conference, the Security Analyst Summit. This information can be found in a document titled ‘Unveiling “Careto” – the masked APT.’ After studying this document, I am forced to call into serious question Kaspersky’s claims… and their responsibility as a member of the security community.
First, let’s take a look at the facts of the Mac version of the malware, as detailed by Kaspersky. Most of the paper is dedicated to descriptions of the Windows variant, with more than ten pages devoted just to the installation on Windows. The Mac variant seems to be described nearly in entirety within 2 pages – which include a few figures and a table.
The Mac version appears to be dropped (ie, installed) by a file named banner.jpg, which is evidently a 32-bit executable file and not actually a JPEG file. It is unclear how this file ends up on the system, and how it is opened. There are references earlier in the document to spear phishing e-mails (ie, phishing e-mails targeted at a specific individual or group) which contain links to a malicious site. There are also references to a Java vulnerability (CVE-2011-3544) and an Adobe Flash Player vulnerability (CVE-2012-0773), which seem to be used by the malicious site to install the malware on the target machine. These vulnerabilities were patched in 2012 or earlier, and the affected versions of Java and Flash are not allowed to run on a properly-updated copy of Mac OS X 10.6 or later.
The dropper, once opened, apparently proceeds to make a copy of Safari in a hidden location and install a malicious payload inside that copy. Then, according to Kaspersky, the dropper “registers it in the system” using a LaunchAgent. What this means is unclear, though a LaunchAgent is typically used to keep a process running, or run a process when certain conditions are met. It is also unclear exactly what function this Safari clone has. Does it pretend to replace the real Safari? Is it modified to be a background-only process? What does the malicious payload do? No answers to these questions are to be found, as far as I can tell.
The document quite helpfully provides an MD5 checksum of each of these items, as is fairly standard with such papers, to allow others in the field to locate and examine the file. However, a search for files having this checksum in VirusTotal finds no matches… evidently, Kaspersky has not yet been in a sharing kind of mood, and has not submitted these items to the rest of the security community via VirusTotal. Whether they have shared these samples with other companies via more private channels is unknown… but, given their secrecy last week to ensure a big unveiling, doubtful.
In all, I’m unimpressed, and am thoroughly disappointed with how Kaspersky chose to report this. Hiding a malicious payload and keeping it running via a LaunchAgent is hardly a new trick, and installing via vulnerabilities that cannot affect any of the last four major versions of Mac OS X is not particularly dangerous. Since the dropper is apparently an Intel binary, it won’t run on most of the machines running older systems, and really is only a threat to machines that have had their settings modified from the defaults to prevent security updates. On the Mac, at least, this does not seem to be “one of the most advanced threats at the moment.”
There seems to be a bit of conjecture involved here, as Kaspersky has not actually seen quite a few components of this malware. For example, they have not actually located any of the exploits being used by the malicious website in active use. What this means, exactly, is unclear, since they do describe the previously-mentioned Java and Flash exploits (starting on p. 34) in detail. They seem to imply that there must be newer exploits involved, but have no evidence to support that idea other than the fact that these exploits are old. Of course, considering that a Microsoft Office vulnerability patched in mid-2009 has been repeatedly attacked years after the fact, that’s flimsy evidence.
The paper also mentions some Firefox plugins repeatedly, but in very vague terms. I have no idea what the role of these plugins is or anything else about them. It would seem Kaspersky doesn’t either, as they say, “Unfortunately, the plugins we retrieved from the server were badly damaged and could not be recovered. Nevertheless, they do seem to exist and are in use by the Mask attackers.”
The paper dives deeper still into some exceedingly insubstantial speculation. For example, it surmises the existence of versions for Android, based solely (it seems) on a version identifier string beginning with “AND” (p. 28), and for iOS, based on what looks like a web log report indicating that someone visited a malicious site from an iPad. None of this is at all conclusive. In fact, I would expect to find iOS entries in the web logs for the malicious site, since someone might receive the spear phishing e-mail first from their iOS device and visit the site there. This does not mean that the malware would be able to infect the iOS device, of course, and no such exploit is currently known. Kaspersky admitted that they have not been able to locate samples for either of these systems.
Topping off this debacle is the teasing that we received last week. Kaspersky clearly had all this information when they posted their initial “teaser” promising details this week. In fact, they probably had most of this information for some time before that. (The time frame from discovery to disclosure has not been revealed.) This means that, while Kaspersky was sitting on all their data and staging a big reveal in a manner that would benefit them the most (by revealing it at their own security conference), people were being infected! I find that to be horribly irresponsible.
All this follows a comment in December, by Eugene Kaspersky himself on Twitter, in which he claimed that computers could be infected through sound. This comment was seemingly based on second-hand, and highly inaccurate, reporting of a research paper that said nothing of the sort. The research being quoted merely demonstrated how already-infected computers, if equipped with speakers and microphones, would be able to communicate via sound waves in the absence of a more conventional network.
Unfortunately, all this means that I cannot bring myself make any conclusions about this malware. I do not feel that Kaspersky has reported this threat properly or accurately, and have no confidence at all that it is even new. For all I know, it could be a variant related to some other existing malware, just as Flashback evolved significantly different features and functionality in 2012 than it had had in 2011. (I have no reason to believe it’s old, and it probably is new… but I simply have no confidence in that yet.) Since Kaspersky has not seen fit to share their samples publicly, we’d all be well advised to hold judgement on this until a more responsible party has had an opportunity to re-examine this. And in the future, I’ll be taking anything Kaspersky has to say with a very large grain of salt!
Tags: Careto, Kaspersky, malware, The Mask, vulnerability
This post is more than 90 days old and has been locked. No further comments are allowed.
So far only the SBD backdoor shows on VT with a 11/49 detection.
I read the pdf earlier today and though it has a lot of information, it’s not saying much. Even if all the files were obtainable and the pdf had more info, the C&C servers have been shut down and the malware, in it’s current/discovered form, pose no threat. As they have not discovered much of actual use, who knows if the perps moved on or if Kaspersky only discovered a very small tip of a huge iceberg.
The PDF also mentions “current version is 18.104.22.168” referring to Flash Player which was replaced with 22.214.171.124 on February 4th. The information in the PDF was then, at time of release, at least a week old. I wonder if anything new was learned since this PDF was written.
The compilation dates they mention would prove whatever they discovered is new or at least fairly recent but I feel like I just heard someone describe the next hot Apple product they saw with their own eyes in a top secret lab… and in the end I still don’t know what the heck it is 😉
Ahh, I see that item is on VirusTotal now, but none of the others are yet. I also note that most other vendors detecting this are calling it OSX/Appetite.
I saw that, probably because of the “Dinner”, “Waiter” and “Chef” jpegs. Amusing but not very practical.
Kaspersky is a shrill hype machine.