A group of Careto cyberspions, also known as The Mask, has resurfaced after a ten-year hiatus. The group, which began its operations in 2007 and disappeared in 2013, targeted an impressive 380 unique entities in 31 countries, including the USA, Great Britain, France, Germany, China, and Brazil.
According to data from Kaspersky Laboratory, which tracked Careto a decade ago, the group’s recent attacks have been targeting organizations in Latin America and Central Africa.
During their latest campaign, hackers aimed to steal confidential documents, autofill form data, browsing history, and cookies from popular browsers like Chrome, Edge, Firefox, and Opera. They also targeted cookies from instant messengers, such as WhatsApp, WeChat, and Threma.
Georgy Kucherin, a security researcher at Kaspersky Lab, stated, “We were able to detect the latest Careto campaigns based on our knowledge of previous campaigns conducted by the group and indicators of compromise identified during our investigations.”
The unique aspect of these new attacks is the use of the hackers’ own techniques to infiltrate organization networks. The initial access was gained through the MDAEMON email server, followed by the installation of a backdoor that enabled the hackers to control the network. Additionally, a driver associated with the HitmanPro Alert malware scanner was utilized to maintain access.
As part of the Careto attack, the group exploited a previously unknown vulnerability in a security product to distribute four modular implants across each victim’s network. These implants, named “Fakehmp,” “Careto2,” “Goreto,” and “Mdaemon Implant,” allowed for various malicious activities, including microphone sound interception, keylogging, stealing confidential documents, and data exfiltration.
These sophisticated multi-modal tools, as highlighted by Kucherin, demonstrate the high level of operations conducted by the Careto group.
In its report for the first quarter of 2024, Kaspersky Lab also mentions other APT groups, such as Gelsemium, which previously utilized server exploits to deploy web-shells and various user tools in Palestinian organizations, and more recently in Tajikistan and Kyrgyzstan.