Video Screencast Help

APT The Mask aka Careto

Created: 30 Mar 2014 • Updated: 30 Mar 2014

I am trying to learn more about the Advanced Persistent Threat(APT) “The MASK” aka “Careto” first identified by Kaspersky Labs in February 2014

This APT first appeared on or about 2007 yet the digital signature used is from 2010. It seemed to peak at 2012 for the number of machines infected.  

I would very much like to get samples of either the phishing emails, code from the modules, or specific IPs that were infected. There were 22 targets in the US and another 109 in the UK. If you can not share those IPs or any details of these infected machines, could you provide some more details on the other machines? I speak very little Spanish but seems that based on the target locations that either Spanish or Portuguese played a vital role in this APT.

It seems the majority of backdoors were still windows based. how many total were MAC and Linux based machines were infected and what countries were those found in?

Why did the attackers use the “sbd” backdoor if they already had success with “Careto” and “SGH”? Was it to penetrate Linux or MAC OS? since the others could not work on those OSs?

Has it been determined if “TEC systems from Bulgaria” is legit? Two certs listed started 2011 and 2013. Did Verisign indicate how these certs came to be, to include the second valid cert?

Are there any data samples from the data implants or connections collected by the Kaspersky sinkholes available for public analysis?  Has it been determined the purpose of the “L” version of the implant? was it for Linux?

A Latin American partner provided details regarding one of the C&C server. How many victims did this server have in the /ClientsDirectory, what operating systems, and how many years back did they go? Also the C&C servers blacklisted IPs inside the /htaccess of security researchers of commercial security companies, including Kaspersky, others in the US, Europe, Japan. Why were only these companies selected. It also include a Brazilian security company: < segurança virtua

Why was segurança virtua chosen amoung South American security companies?  Brazil had 137 victim IPs. it appears none of the C&C servers were in Brazil. some of the Spanish slang can also be similar to Portuguese slang. Is it possible either Brazil or other Portuguese entity was responsible for this APT. 

As for exploit site,, listed sites from Spain, America, some UK, but also Argentina, Columbia, but primarily Spain. What about the other two sites: and – were they used to transmit any exploits? what phishing attacks did they use? Same or different newspaper/media content?

Is it proven that Vupen sold the flash player exploit (CVE-2012-0773) to the attackers behind this APT? Do you think this exploit was essential to this APT? it was 1st discovered in 2012, same year the Mask APT experienced a spike.

Finally is there a way to get more information on how the sinkholes worked and will there be further sharing of the data collected in the future?

Thanks much for your assistance and look forward to learning more details about this APT.

Please reply to email:

Operating Systems: