Double Encryption for Command & Control

Unveiling "Careto" - The Masked APT

The communication between the C&Cs and the victims uses an encrypted protocol over HTTP or HTTPs.

In case of the Careto implant, the C&C communication channel is protected with two layers of encryption. The data received from the C&C server is encrypted using a temporary AES key, which is also passed with the data and is encrypted with an RSA key. The same RSA key is used to encrypt the data that is sent back to the C&C server. This double encryption is uncommon and shows the high level of protection implemented by the authors of the campaign.

Kaspersky refers to the "high level of protection" of The Mask espionage system because it double encrypts its data. I take a little umbrage at the suggestion that double encryption implies a "high level" of anything. I've been at least encrypting payloads and usually using double encryption whenever I write little espionage demo systems. It is an easy an obvious thing to do. Here are a few videos from over the years showing toy espionage systems using encryption: