Introduction
This threat actor targets governments, diplomatic missions, private companies in the energy sector, and academics for espionage purposes. The Mask is an advanced threat actor that has been involved in cyber-espionage operations since at least 2007. The name “Mask” comes from the Spanish slang word “Careto” (“Ugly Face” or “Mask”) which the authors included in some of the malware modules. More than 380 unique victims in 31 countries have been observed to date.What makes “The Mask” special is the complexity of the toolset used by the attackers. This includes an extremely sophisticated malware, a rootkit, a bootkit, 32-and 64-bit Windows versions, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone (Apple iOS).
Activities and Tactics
Targeted Sectors: Government, Private sector
Country of Origin: 🏳️ Spain
Risk Level: High
First Seen: 2014
Last Activity: 2014
Incident Type: Espionage
Suspected Victims: Morocco, France, Libya, Venezuela, Poland, Brazil, Spain, United States, South Africa, Tunisia…
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No atomic indicators are listed in this profile. The APTnotes snapshot indexes 1 public reports that may contain IOCs; see Source Attribution for dataset links.
Malware and Tools
- CyberGate
- XtremeRAT
- DroidJack
- Androrat
- Cyber Eye RAT
- Windows Remote Desktop
Attribution and Evidence
Country of Origin: Spain Additional attribution information pending cataloguing.
References
References pending cataloguing.