Kaspersky lifts the curtain on threat actor called “The Mask” 

The Spanish-language group has allegedly been involved in a number of cyber-espionage campaigns since 2007, and was first discovered in 2013 when it tried to exploit a vulnerability in Kaspersky’s own products.

According to Kaspersky, The Mask is especially dangerous because of the toolkit it uses in its operations. It has access to sophisticated malware, a rootkit, a bootkit, and versions for Mac OS X and Linux. Kaspersky says it may also have versions for Android and iOS.

The Mask has primarily targeted public sector organizations, such as government institutions, diplomatic offices, and embassies; energy, oil, and gas companies; and research groups and activists.

So far, Kaspersky has identified 380 victims of The Mask in 31 countries around the world. The attackers have primarily taken office documents, encryption keys, VPN configurations, SSH keys, and RDP files.

The Mask uses spear-phishing to direct victims via email – using lures such as YouTube or a news site – to a malicious page that contains a number of exploits. After successful infection, the user is then re-directed to the benign website named in the email.

The attacks are extremely hard to detect, thanks to the stealth rootkit the group uses. The Mask, being highly modular, is capable of supporting plug-ins and configuration files that allow it to perform a large number of functions.

“Several reasons make us believe this could be a nation-state sponsored campaign,” said Costin Raiu, director, Global Research and Analysis Team (GReAT), Kaspersky Lab, in a release.  “First of all, we observed a very high degree of professionalism in the operational procedures of the group behind this attack. From infrastructure management, shutdown of the operation, avoiding curious eyes through access rules and using wiping instead of deletion of log files. This level of operational security is not normal for cyber-criminal groups.”