Carbon Black & VMware Announce Expanded Partnership to Secure the Software-Defined Data Center (SDDC) Learn more

Careto: The Ugly Face of Very Sophisticated Malware

The Ugly Face of Very Sophisticated Malware careto mask
Hex_Dots_40pct
May 6, 2014 / Matt Larsen

Careto is a piece of internationally deployed and sophisticated malware that currently holds the record for remaining hidden from detection.

You may have read that Careto is Spanish, but it is was originally a Portuguese word with a very different meaning. This distinction can help us draw two conclusions:

Just as English slang is not quite the same between the U.S., Scotland, England and Ireland (or even between Boston and Chicago), Spanish slang is not the same from country to country.

In Portugal term “Careto” refers to a part of a ceremony that takes place during Carnival where “Caretos” (the main participants) dress up in brightly colored costumes with very specifically crafted masks made of leather and wood. They also wear tinkle belts to make a jingling sound as they chase people around the streets.

In Spain, “Careto” came to mean “ugly face” or to “make an ugly face for a camera.” This term also spread to South America’s Spanish-speaking countries.

The Careto malware starts off in the exact same way that nearly all major APT attacks in the last decade have started: with spear-phishing emails containing links or attachments.

One item that makes Careto so sophisticated is the number of languages that the emails are written in, and how they have evolved over time.

The latest versions of the Careto spear-phishing emails use attachments, but many of them use links to very carefully constructed malicious websites.

These websites are often legitimate websites in every reference on the Internet, but have restricted sub-folders that are only referenced in the spear-phishing emails. This tactic allows the malicious folders to avoid being scanned and blacklisted by protection services.

These websites are also completely transparent. In one of the most cunning attacks, a link was sent out referencing a YouTube video and the link appeared to be a YouTube link. However, it actually went to a link-shortening service, which quietly loaded the malware, and then directed the user to the actual YouTube video they were expecting. This tactic left the user completely unaware that anything has even happened.

Spear-phishing tactics like these are extremely effective, despite most companies’ attempts to stop them. It only takes one person to click on the link to infect an entire company.

Much like Flame, which used nearly a dozen components to execute its goals, Careto is so special and unusual because of the depth of tools it uses, and how well they are hidden.

Careto Infection Flow[1]

Careto includes the following components:

-Sophisticated malware modules

-A stealth rootkit (software, usually in the kernel, designed to hide other software or perform malicious activities.)

-A bootkit (similar to a rootkit, but residing often in the Master Boot Record, allowing it to bypass full-disk encryption.)

-A 32-bit Windows malware module

-A 64-bit Windows malware module

-Mac OS X malware module

-Linux malware module

-And (still unconfirmed) versions for Android and Apple iOS

What makes Careto more sophisticated than any other malware seen before is its backdoor SGH (Slow-Growing Hierarchy) module. This module not only sends out data that is invisible to the network, but it can regulate plug-ins. This allows developers to update the software, install new plug-ins, or activate other modules from C2C (command and control) servers, all without the victim knowing a thing. This tactic had never been used to this level of sophistication, and it’s what drew attention to the module as a major nation-state sponsored piece of malware.

The first components of the C2C infrastructure and infected machines go back as far as 2006, meaning that Careto went undetected for more than seven years.

As solutions to the exploits were discovered, the developers would send out instructions to either failover to a different attack module, or they would install a new plug-in to increase its stealth capabilities. All of this malicious behavior also went undetected.

Careto’s backdoor modules have greater capabilities than any other backdoor systems seen before. Additionally, Careto can tailor itself to the operating system, available exploits, and other defenses on the system!

The backdoor usually works by loading an encrypted CAB file, containing files with the named “Dinner,” “Chef,” and “Waiter” depending on the environment (i.e. 32-bit, 64-bit, Windows, Linux, Mac OS X, etc.). The “Dinner,” “Chef,” and “Waiter” files all have different functions, but when the CAB is extracted, the files all appear to be .jpg files. In reality, they are .dll files—all executables.

There is no doubt that Careto is the most advanced piece of malware to date, overtaking Flame, Stuxnet and Night Dragon.

That it remained hidden for so long and intentionally tied itself to a malware detection system is an incredible feat of programming.

Its Spanish origin could point to any of 21 countries that use Spanish either officially or unofficially as their primary language, but given the sophistication, it could easily be a false flag diversion to try and lead people away from the true source, which still remains hidden.

While the top countries involved do have some political ties that could explain the attack, none of those links are conclusive.

But this really raises the larger question: How many other Caretos are out there and how do we protect ourselves?

The best way to protect against any Careto-like malware is a multi-layered security approach that does not rely on signatures. That’s how Careto was originally detected. But like anything else, Careto started with a social engineering email executing a rogue file.

If you have concerns around Careto-like malware, Bit9 can help.

TAGS: bit9 / Carbon Black / Careto / detection / malware / mask / Prevention / Response

Related Posts