The latest high profile cyber weapon to be discovered - called The Mask (aka Careto) - originated in a Spanish-speaking country and has gone undetected since 2007 and infected victims in 31 different countries.
The latest state-sponsored cyber-espionage tool was revealed by Kaspersky Labs at its Security Analysts Summit taking place in the Dominican Republic this week.
Kaspersky says The Mask has been operating in 2007 and has affected 380 targets in 31 countries. Targets include government institutions, oil and gas companies and activists, with The Mask designed to steal documents, encryption keys and other sensitive files, as well as take full control of infected computers.
The UK has experienced 109 of these unique attacks, making it the third most targeted country globally. Morocco comes first with 384 unique attacks and Brazil second with 173. The total number of IPs affected is 1000+.
One of the most interesting aspects of The Mask is that it was created by Spanish-speaking software engineers, something which has been observed very rarely in advanced persistent threats (APTs). Previous high-profile malware has emerged from countries like Russia, China, the US and Israel.
Kaspersky has not revealed which country created The Mask.
One of the most advanced threats
Costin Raiu, director of the global research at Kaspersky Lab said: "Several reasons make us believe this could be a nation-state sponsored campaign. First of all, we observed a very high degree of professionalism in the operational procedures of the group behind this attack. From infrastructure management, shutdown of the operation, avoiding curious eyes through access rules to using wiping instead of deletion of log files. T This level of operational security is not normal for cyber-criminal groups."
The Mask is the latest in a long line of what are all believed to be state-sponsored malware, which began with Stuxnet and was followed by Duqu, Flame, Gauss and last year the discovery of Red October.
The Mask was able to infect PCs running Windows, Mac OS X and Linus as well as Android smartphones and tablets and Apple's iPhones and iPads.
The malware had been active for at least five years but some samples where compiled as early as 2007).
The malware was spread using spear phishing email campaigns. The emails contained links which looked to come from major news outlets such as The Guardian and The Washington Post according to a report from ZDNet, as well links claiming to be for YouTube videos
The malicious website contains a number of exploits designed to infect the visitor, depending on system configuration. Upon successful infection, the malicious website redirects the user to the benign website referenced in the email.
The malware intercepts all the communication channels and collects the most vital information from the infected system. Detection is extremely difficult because of stealth rootkit capabilities
As of last month all of the command and control servers controlling The Mask were taken offline by the attackers. However Kaspersky hasn't ruled out the malware reappearing in the future.