Also, the possibility of attackers resurrecting the attack campaign cannot be ruled out, the researchers said in a blog post.
In terms of sophistication, the Kaspersky researchers place The Mask campaign above other cyberespionage operations such as Duqu, Gauss, Red October and Icefog that the company has identified over the past few years.
"For Careto, we observed a very high degree of professionalism in the operational procedures of the group behind this attack, including monitoring of their infrastructure, shutdown of the operation, avoiding curious eyes through access rules, using wiping instead of deletion for log files and so on," the researchers said in their paper. "This is not very common in APT operations, putting the Mask into the 'elite' APT groups section."
The malware toolset used by the attackers includes three different backdoor programs, one of which had versions for Mac OS X and Linux in addition to Windows. Some evidence possibly indicating infections on iOS and Android devices was also found on the C&C servers, but no malware samples for those platforms was recovered.
The Careto backdoor program collects system information and can execute additional malicious code, the Kaspersky researchers said. It also injects some of its modules into browser processes — it can do so in Internet Explorer, Mozilla Firefox and Google Chrome — to communicate with command-and-control servers.
Careto was often used to install a second, more complex backdoor program called SGH that has a modular architecture and can be easily extended. This second threat contains a rootkit component and has modules for intercepting system events and file operations as well as performing a large number of surveillance functions.
SGH also attempts to exploit a vulnerability in older versions of Kaspersky antivirus products in order to evade detection, which is what attracted the researchers' attention in the first place and prompted the investigation. However, that vulnerability was patched back in 2008 and only affects versions of Kaspersky Workstation older than 6.0.4. and Kaspersky Anti-Virus and Kaspersky Internet Security 8.0 installations that haven't been properly updated, the researchers said.
The third backdoor program is based on an open-source project called SBD, short for Shadowinteger's Backdoor, which is itself based on the netcat networking utility. The Kaspersky researchers found customized SBD variants for Windows, Mac OS X and Linux associated with The Mask operation, but the Linux variant was damaged and couldn't be analyzed.
Different variants of the backdoor programs used in The Mask over the years have been identified, the oldest of which appears to have been compiled in 2007.
Most samples were digitally signed with valid certificates issued to a company called TecSystem Ltd. from Bulgaria, but it's not clear if this company is real. One certificate was valid between June 28, 2011 and June 28, 2013. The other was supposed to be valid from April 18, 2013 to July 18, 2016, but has since been revoked by VeriSign.
Sign up for CIO Asia eNewsletters.