Please note we have recently updated our Privacy Policy, effective May 24, 2018. You may view the updated Privacy Policy here.
By using this website, you consent to the use of information that you provide us in accordance with the Privacy Policy.


Sophisticated Spy Malware ‘Careto’ Goes Undetected for 7 Years

sophisticated careto goes undetected for seven years
April 2, 2014 / Matt Larsen

If you haven’t heard of it yet, you will soon. Careto, aka “The Mask,” is a collection of malware consisting of backdoors, cloaking agents, filter agents and file transfer systems that are so sophisticated that they have been in the wild and eluding detection for SEVEN YEARS – an amazing feat.

The general consensus in the IT Security field is that this is a nation-state-sponsored APT (Advanced Persistent Threat). But what nation did this come from? Allow me to remove my hacker-hat and put on my anthropologist’s hat.

Let’s look at the clues:

  • The software itself is primarily written in Spanish. There are 21 countries that have Spanish as their official (or unofficial) primary language, but with software this sophisticated, it is very conceivable that it was written in Spanish as a “false flag,” or red herring, to draw investigators off track. There were some common misspellings in the English parts of the code “REM” fields, but there were not enough of them to be able to draw a conclusion as to their country of origin.
  • In Spanish-speaking nations, Careto actually refers to making a “funny face” or “ugly face” for a camera or person. However, in Portugal, a Careto is a person who takes part in a festival. The Caretos chase people around the streets while wearing brightly colored outfits while wearing wooden or leather masks. To me, this sounds like something to name your software after more than someone mugging for a camera, but that’s just my opinion.

The targeting of Careto is also very unique. If we look at the targets and credential use by IP address in up to seven different ways, the same three countries always show up in the top six results:

  1. Spain
  2. France
  3. And Morocco

These are not the “usual suspects” so to speak. While France shows up on the target radar every now and then, this combination of targets is highly unusual. For once, the U.S. was barely on the radar of this attack. If you took a dartboard of the world and threw three darts at it, you would assuredly hit three countries that have some political ties or problems, but not much stands out among the relationships of these three countries.

The types of targets is also unique in some ways, but common in others. The companies targeted included:

  • Government and diplomatic offices — no surprise there.
  • Energy, Oil, and Gas companies – this was also common in the NightDragon attacks.
  • Research Firms – IP theft is a hallmark of many different countries.
  • Private Equity Firms – Not very common
  • And…Activist Groups? — That is a VERY rare target for APT attacks such as this.

The targeting of activist groups is also interesting because most of the spear-phishing emails (emailing targeting very specific groups of people to try and trick them into clicking on a link to an infected website) played on peoples’ emotions about activist causes around the globe, such as the plight of the Uyghur people. It’s also possible that they hoped that the activist groups might have useful information on the targets that Careto’s authors wanted to attack.

So we have a fascinating “whodunit” on our hands. Over the next few weeks and months, hopefully we will learn more about the source of these attacks.

Check out my next blog for more detailed technical information on Careto, including how it was structured, how it functioned, and how to block its known programs. While Careto’s Command and Control infrastructure was taken down, it would not be impossible at all for the developers to inject new Command and Control information into their existing agents to launch Careto all over again.

But for now, just remember: like most other APT attacks, Careto relies on someone opening a link or attachment from someone they don’t know, so never click on a link or attachment unless you are certain of the validity of the source.

While there are a great number of variations of Careto, it still needs to execute untrusted files on a computer for it to work, so with the versions that we have been able to test here at Bit9, Careto was able to be stopped by the Bit9 Security Platform when set to high enforcement.

If you have any questions, feel free to contact me at

TAGS: bit9 / Carbon Black / Careto / detection / malware / malware protection / mask / Prevention / Response