The Mask or Careto family of malware used tactics originally thought up by 80s and 90s hackers to infect government systems, according to Context Information Security.
Context spotted Mask’s use of old school tactics while doing forensics on the advanced malware, codenamed SGH, used during the campaign.
“While hidden in the complexity of the malware, Careto or The Mask uses the well known technique of infecting the first executable that loads when Windows boots,” said Context senior researcher Kevin O’Reilly.
Specifically, Context reported that Mask used an infection technique originally created to compromise early 16-bit systems.
“It seems that the question the malware authors posed themselves was ‘why reinvent the wheel?’ – virus writers in the 80s and 90s invented many ingenious 16-bit tricks and techniques,” explained Context in a blog post.
“The Mask demonstrates that this simple technique can still be effective today. Old tricks are sometimes the best, it seems, as the method by which SGH achieves its bootkit functionality and infects the bootmgr binary is to employ this ‘old skool’ 16-bit infection strategy straight from the history books.”
Kaspersky Lab researchers uncovered the Mask campaign targeting government systems in February.
The malware allowed the hackers to intercept network traffic from a victim’s PC, keystrokes, Skype conversations, PGP keys, wireless traffic and file activity.
The nature of the malware led Kaspersky to list it as one of the most advanced cyber espionage campaigns ever seen.
Context said that, while it is likely the hackers behind Mask simply learned from their predecessors, it could also be a sign that some veteran cyber criminals have come out of retirement.
“Perhaps the very same talented virus writers, who back in the 80s and 90s pioneered this and other virus techniques, have now been recruited by the organisation behind The Mask and are working to develop their cyber-weaponry arsenal. In which case the rest of the world beware,” read the post.
Mask is one of many advanced cyber espionage campaigns uncovered this year. Researchers at FireEye found evidence earlier this week that the hacker group behind a notorious campaign targeting a critical vulnerability affecting multiple versions of Internet Explorer altered their strategy to spread malware using social media.