At this year’s Kaspersky Security Analyst Summit, the antivirus company unveiled one of the most diabolical and widespread malware attacks known to date. Dubbed “Careto”, the malware is an extremely advanced piece of software that functions in much the same way that state-sponsored top tier programs such as Stuxnet and Flame do.
From the report, we can gather that the worm primarily targets government institutions, including embassies, diplomatic offices, and energy committees. The private sector also saw its own fair share of abuses, with oil and gas companies, equity firms, and activists also taking up part of Careto’s spotlight.
Careto is capable of collecting the VPN configurations, SSH keys, encryption keys, and RDP files of its victims, most of whom were initially infected through standard phishing emails leading to spoofed versions of websites like the Guardian, the Washington Post, piggybacking on their increased popularity in the wake of the Snowden leaks to spread to precise targets who might present a threat to “whichever” government originally let it loose in the wild.
Possibly the most interesting bit of news to come out of this discovery is that it was actually Kaspersky’s investigation that caused the network supporting the malware to suddenly shut down, going offline permanently in early January after nearly 7 years in operation.
“At the moment, all known Careto command and control servers are offline. The campaign was active [from 2007] until January 2014, but during our investigations the C&C servers were shut down.”
For now, all we have to go off of is the belief that the authors primary language is Spanish, which does help a little bit in narrowing down the possible suspects behind the attack. Kaspersky is quick to note this may just be something to throw those tasked with researching the matter off the scent, however with so little evidence pretty much every clue is still considered speculation at this point.