Close this search box.

Throwback Attack: Careto malware attacks more than 30 countries

Courtesy: CFE Media and Technology

The world has been full of threats in the past couple of years. We have seen potential wars, actual invasions, a worldwide pandemic and so much more. It is hard to keep track of it all, especially when it is behind the scenes where not a lot of people are watching. In 2014, Kaspersky Cybersecurity Company found something that no one had caught before, Careto.

The Careto malware got away with stealing private information for several years, targeting diplomatic offices and critical infrastructure of different countries. They were able to spy on not only what the victims typed, but they could also record Skype calls.

What is “Careto”?

Careto, or The Mask, is a piece of espionage malware. It was discovered in 2014 by Kaspersky, but it has been in operation since at least 2007. When Careto was trying to exploit Kaspersky Cybersecurity Company software, Kaspersky caught on to it and investigated further. It is believed to be the work of a nation-state due to the level of sophistication and professionalism. Careto’s target list included diplomatic offices and embassies. It was also used against critical infrastructure such as energy companies, including oil and gas. Kaspersky suspected that the creators of the malware were Spanish-speaking. The word “careto” is a Spanish slang word for face.

Different components of the malware include linguistic artifacts from the authors, suggesting that they are proficient in the Spanish language. Some slang words used would be very unusual in a non-native speaker,” the firm’s report stated. “’Careto’ was one of them and the one that ended up giving the malware its name,” according to a Ziranews article.

Careto malware effects

Careto lures its victims by sending out spear phishing emails with links to a malicious website that contains a number of ways to infect systems. The attackers use subdomains that simulate subsections of major newspapers in Spain, as well as some from other countries, such as the Guardian and the Washington Post. After being on the malicious site, users are redirected to the benign website referenced in the original email. Once systems are infected, the malware is able to intercept all communication channels and take vital information.

According to the same Ziranews article, the malware allows the attacker to gain access to a number of resources. For example, it can record Skype conversations, see everything the victim types, take screenshots, steal files and install anything else the attacker wants onto the victim’s computer. Given the listed targets, the stakes are very high.

What makes Careto stand apart from other cyber threats is the complexity of the toolset used, which includes a highly sophisticated piece of malware, a rootkit, a bootkit, Mac OS X and Linux versions, and possibly versions for Android and iPad/iPhone (iOS). Careto is a backdoor package that collects system information and executes arbitrary code from the C&C infrastructure. It also uses a unique attack against older Kaspersky Lab products to allow attackers to hide in the system. According to an article from Kaspersky, “This puts it above Duqu in terms of sophistication, making The Mask one of the most advanced threats at the current time.”

Who was behind it?

There was a lot of speculation about who could be behind these cyberattacks. Were they really Spanish-speaking, or was that just a deception to throw people off the right path? However, experts found that Careto’s focus was mainly on Spanish-speaking victims, heavily targeting Morocco and Gibraltar, amongst around 30 other countries. The primary target, Morocco, was one of the factors that pointed to Spain as the culprit. Careto’s list of targets coincided with the geostrategic interests of Mariano Rajoy, the prime minister of Spain from 2011 to 2018.

Still, there is no conclusive evidence to truly pin down who was behind these attacks, and no one formally accused Spain. At this point, all known Careto C&C servers are offline. The attackers started going dark in January 2014, but Kaspersky was able to get some of Careto’s C&C servers, which allowed them to gather information on the operation.


Careto was able to go undetected for years and attacked more than 1,000 IP addresses in more than 30 countries. A more recent cyberattack and spyware, Pegasus, has been compared to Careto due to its similar espionage abilities. Careto was not as powerful as Pegasus is today, but it gave the hackers access to several of its victims’ devices. While Pegasus’ purpose may be different from Careto’s, Careto’s malware could just as easily be a stepping stone to Pegasus’ creation.

Threat actors can learn from previous attacks and evolve into something even more dangerous. And it’s certainly not the last threat we’ll see.




Keep your finger on the pulse of top industry news