According to the document published by Kaspersky researche, TheMask mainly targets government agencies, diplomatic offices/embassies, private companies, research institutions, activists etc, along with 300+ unique victim.
Its was developed so well that all the highly malware, bootkit, rootkit etc. that has the ability to sniff encryption keys, VPN configuration, SSH keys and RDP file via intercept network traffic, keystrokes, Skype conversation, PGP keys, WI-Fi traffic, screen capturing, monitoring all file operations, that makes it unique and dangerous and more sophisticated than DUQU malware.
TheMask have made victim to following countries,
Algeria, Argentina, Belgium, Bolivia, Brazil, China, Colombia, Costa Rica, Cuba, Egypt, France, Germany, Gibraltar, Guatemala, Iran, Iraq, Libya, Malaysia, Mexico, Morocco, Norway, Pakistan, Poland, South Africa, Spain, Switzerland, Tunisia, Turkey, United Kingdom, United States and Venezuela.On all these countries TheMask attacked and it targets the victim machine and search for the for the following extension to make the backdoor it is, by modifying it or replacing it.
*.AKF, *.ASC, *.AXX, *.CFD, *.CFE, *.CRT, *.DOC, *.DOCX, *.EML, *.ENC, *.GMG, *.GPG, *.HSE, *.KEY, *.M15, *.M2F, *.M2O, *.M2R, *.MLS, *.OCFS, *.OCU, *.ODS, *.ODT, *.OVPN, *.P7C, *.P7M, *.P7Z, *.PAB, *.PDF, *.PGP, *.PKR, *.PPK, *.PSW, *.PXL, *.RDP, *.RTF, *.SDC, *.SDW, *.SKR, *.SSH, *.SXC, *.SXW, *.VSD, *.WAB, *.WPD, *.WPS, *.WRD, *.XLS, *.XLSX.
According to the researcher, the malware was designed to infect the 32-bit and 64-bit windows version, Linux and Mac OS X. The malware was undetected for about 7 years and had been disclosed last month. Researcher also mention that malware also infects the iOS and Android platform devices also.
Kaspersky had performed this research with more interest due to the reason that the malware has tried to exploit the vulnerability in its product i.e. Workstation products prior version 6.0.4.*, and KAV/KIS 8.0 versions. In the statement they says
“In case of the Careto implant, the C&C communication channel is protected by two layers of encryption. The data received from the C&C server is encrypted using a temporary AES key, which is also passed with the data and is encrypted with an RSA key. The same RSA key is used to encrypt the data that is sent back to the C&C server. This double encryption is uncommon and shows the high level of protection implemented by the authors of the campaign.”During the investigation, researcher found CAB file having shlink32 and shlink64 dll files which is capable to identify the architecture of the victim machine and depending on the architecture malware install objframe.dll on victim machine. Along with this there are other backdoor programs on the Malware hit that is capable to perform a large surveillance function. Another backdoor name as SBD (Shadowinteger's Backdoor) which use open source tools like netcat to infect Linux machine.
Who is the creator of this Malware is not been clear and its still under the research environment.