First there was Stuxnet. Then Duqu. Then Flame. Then Gauss. And last year we had Red October. And now we have The Mask - a new sophisticated cyber-espionage threat which has been called one of the most advanced threats out there at the moment.
However, while we know the name of the cyberweapon we still don't know how it works, where it comes from or who it is targeting.
This is because Russian security company Kaspersky, who discovered the exploit, have only give a few vague details about the advanced persistent threat (APT), ahead of unveiling all the details on Sunday, 9 February at its Security Analyst Summit taking place in the Dominican Republic.
In a brief preview of The Mask, Kaspersky said the malware is "leveraging high-end exploits" and is "an extremely sophisticated malware which includes a bootkit and rootkit, Mac and Linux versions and a customized attack against Kaspersky products."
Where does The Mask come from?
When looking at APTs of the past, we have a good idea where most of them originated. Stuxnet and Flame are the result of a collaboration between the US and Israel while details within the software of Red October indicated it was coded by Russian speakers. Other APTs have shown origins in Korea (Kimsuky) and China (NetTraveler).
Interestingly however, Kaspersky says the authors of The Mask appear to be native in a language previously unseen in other similar pieces of malware - ruling out Russian, English, Chinese, Korean and possibly Hebrew.
Considering Kaspersky software is on sale around the world, the origins of The Mask could be any part of the globe. However Kaspersky does have a major presence in the Middle East, and that region is a hotbed of cyber-activity, meaning it could be the source of The Mask.
Who is The Mask targeting?
Sophisticated pieces of malware like Stuxnet and Flame typically target governments or critical infrastructure and it sounds like The Mask is no different.
Kaspersky says that 27 countries have been affected by The Mask, but it has not revealed which countries or regions specifically.
It also revealed that the malware has been in use for at least seven years.
Is The Mask related to Adobe vulnerability?
On Monday Adobe released a patch for a critical flaw in its Flash Player and in the notes accompanying the release thanks Kaspersky for its help in identifying it.
The vulnerability allows an attacker to remotely inject code and take control of the underlying system hosting Flash, and it is believed that the flaw is being actively exploited by cybercriminals.
On Kaspersky's Threatpost blog about the patch, it mentions the The Mask, strongly indicating a link between the two.