Data protection is more critical than ever with increasingly sophisticated, organized, and targeted threats coming from multiple vectors. One major concern that has come to light—though has been in use since at least 2007—is Careto. This advanced threat is a complex toolset that enables data collection on a level that can be catastrophic for victims. The malware catches activity from all communication channels and assembles the most vital information from the infected systems, where it can then be sent to remote locations.
Named for the Spanish slang term for “mask”—a word included in some of the malware modules by the authors— Careto is a group of scouting and data-stealing Trojans that can monitor many elements of a system’s operation, including keystroke entry and network traffic. This monitored information is stored locally on the infected system, and the Trojans are capable of uploading this harvested information to an external server where it can be retrieved by the attacker.
The malware used in Careto is extremely segmental in its design and creates a very complex toolset. It uses many small modules, each performing a particular function, that are deployed through a multi-phase installation that involves many steps.
The sophistication of the toolkit and its use is not normal for cybercriminal groups, and those behind the exploits have exhibited a very high degree of professionalism—including monitoring of their infrastructure, shutdown of the operation, avoiding curious eyes through access rules, and using wiping instead of deletion for log files. The Windows backdoor is extremely sophisticated, and the attackers use a number of techniques in an attempt to make the attack stealthier. These include injection into system libraries and attempts to avoid detection by exploiting older anti-virus products.
The main targets of Careto fall into the following categories:
- Government institutions
- Diplomatic offices and embassies
- Energy, oil, and gas companies
- Research institutions
- Private equity firms
Given the nature of these targets, the impact is potentially extraordinary. Although the exact number of victims is unknown, there are documented cases from more than 1,000 IP addresses in 31 countries. Infections have been observed in: Algeria, Argentina, Belgium, Bolivia, Brazil, China, Colombia, Costa Rica, Cuba, Egypt, France, Germany, Gibraltar, Guatemala, Iran, Iraq, Libya, Malaysia, Mexico, Morocco, Norway, Pakistan, Poland, South Africa, Spain, Switzerland, Tunisia, Turkey, the United Kingdom, the United States, and Venezuela.
Attributing this piece of malware to a specific person or group is a difficult task. On the internet, it is extremely difficult to make a solid attribution due to the volatile nature of its construction and evolution. Some clues—such as the use of the Spanish—are weak, as the language is spoken in many countries including Latin America, Mexico, and the United States.
Detection of these types of attacks is extremely difficult because of the stealth rootkit capabilities they possess. Luckily, McAfee can detect and remove all known versions of this malware. Definitions for the malware family variants are added to the database and available from DAT #7344. A full system scan with updated DATs can remove the infection from the machine.
To receive a notification when a Threat Advisory is published by McAfee Labs, visit this page on the McAfee website and select to receive “Malware and Threat Reports.”
Not a StandGuard Anti-Virus user yet, request your free 30-day trial and secure against the Careto threat today.