‘The Mask’ Espionage Group Resurfaces After 10-Year Hiatus – Source: www.darkreading.com

Source: rawf8 via Shutterstock

An advanced persistent threat (APT) group that has been missing in action for more than a decade has suddenly resurfaced in a cyber-espionage campaign targeting organizations in Latin America and Central Africa.

The group, called “Careto” or “The Mask“, began operations in 2007 and then seemingly wafted into thin air in 2013. Over that period, the Spanish-speaking threat actor claimed some 380 unique victims across 31 countries including the US, UK, France, Germany, China, and Brazil.

A Prolific Threat Actor

Researchers from Kaspersky who tracked Careto 10 years ago —and also spotted its new attacks recently — have identified Careto’s previous victims as including government institutions, diplomatic offices and embassies, energy, oil and gas companies, research institutions, and private equity firms.

In a blog post this week, Kaspersky reported the group as having targeted at least two organizations in its sophisticated new campaign, so far — one in Central Africa and the other in Latin America. The focus of the attacks appears to have been on stealing confidential documents, cookies, form history, and login data for Chrome, Edge, Firefox, and Opera browsers, Kaspersky said. The security vendor said it had also observed the attackers targeting cookies from messenger apps such as WhatsApps, WeChat, and Threema.

“We [were] able to discover the latest Careto campaigns thanks to our knowledge of the previous campaigns orchestrated by Careto, as well as indicators of compromise uncovered over the course of investigating these campaigns,” says Georgy Kucherin, security researcher at Kaspersky.

“These indicators date back to 10 years ago — which is quite a long time,” he says. “For companies that are planning their cybersecurity strategies, it is crucial not to overlook activities of advanced persistent threats (APTs) that have been unseen for a lot of time, as these APTs can come up with completely new, unique attacks at any time.”

Sophisticated, Custom Techniques

Kaspersky characterized Careto group actors as using custom techniques to break into both victim environments, to maintain persistence on them and to harvest information.

In both attacks, for instance, the attackers appear to have gained initial access via the organization’s MDaemon email server — a product that many small and midsize businesses use. The attackers then planted a backdoor on the server which gave them control over the network and also took advantage of a driver associated with the HitmanPro Alert malware scanner to maintain persistence, Kaspersky said.

As part of the attack chain, Careto exploited a previously unknown vulnerability in a security product used by both victims, to distribute four multi-modular implants on machines across each victims’ network. Kaspersky’s report did not identify the security product or the vulnerability that Careto has been exploiting in its new campaign. But the company said it has included full details of Careto’s latest attacks, including its tactics, techniques, and procedures, in a private APT report for customers.

“Currently, we are not sharing the name of the product so as not to encourage cybercriminals to perform malicious activity,” Kucherin says.

Versatile Modular Implants

The implants — dubbed “FakeHMP,” “Careto2,” “Goreto,” and the “MDaemon implant” — enabled the attackers to execute a variety of malicious actions in the victim environments. The MDaemon implant, for instance, enabled the threat actors to conduct initial reconnaissance activity, extract system configuration information and execute commands for lateral movement, Kucherin says. The threat actors are using FakeHMP for microphone recording and keylogging purposes and also for stealing confidential documents and login data, he notes. Both Careto2 and Goreto also perform keylogging and screenshot capturing. In addition, Careto2 supports file theft as well, Kucherin says.

“The newly discovered implants are intricate multimodal frameworks, with deployment tactics and techniques that are both unique and sophisticated,” Kucherin wrote in Kaspersky’s blog post. “Their presence indicates the advanced nature of Careto’s operations.”

The Careto group is one of several threat groups that Kaspersky highlighted in a roundup of APT activity during the first quarter of 2024. Another is Gelsemium, a threat group that has been using server-side exploits to deploy a Web shell and multiple custom tools on organizations in Palestine and, more recently, in Tajikistan and Kyrgyzstan. Others in the roundup include North Korea’s Kimsuky group, which was recently spotted abusing weak DMARC policies in a targeted phishing campaign and Iran’s OilRig group, which is well known for its attacks on targets within Israel’s critical infrastructure sector.