The Mask’s history
- Origins: The Mask first appeared in 2007, operating with stealth and sophistication.
- Vanishing Act: In 2013, the group seemingly vanished, leaving behind a trail of cyber-espionage campaigns.
- Unique Victims: Over the years, they targeted around 380 unique victims across 31 countries, including major players like the US, UK, France, Germany, China, and Brazil.
About Careto aka The Mask
The gang "Careto" or "The Mask" began operations in 2007 and suddenly vanished in 2013. During that time, the Spanish-speaking threat actor claimed around 380 unique victims in 31 countries, including the United States, the United Kingdom, France, Germany, China, and Brazil.
Kaspersky researchers, who monitored Careto ten years ago and recently discovered new attacks, classified Careto's former victims as government organizations, diplomatic offices and embassies, energy, oil and gas corporations, research institutions, and private equity firms.
Sophisticated Tailored Methods
According to Kaspersky, Careto group actors use specialized tactics to sneak into both victim environments, maintain persistence, and harvest information.
In both attacks, for example, it appears that the attackers got early access using the organization's MDaemon email server, a software that many small and medium-sized enterprises use. According to Kaspersky, the attackers planted a backdoor on the server, giving them control of the network. They used a driver connected with the HitmanPro Alert malware scanner to sustain persistence.
Careto distributed four multi-modular implants on workstations across each victim's network as part of the attack chain, exploiting a previously undisclosed weakness in a security product utilized by both. Kaspersky's analysis did not specify the security product or weakness that Careto is exploiting in its latest operation. However, the company stated that it has provided comprehensive details about Careto's recent attacks, including tactics, strategies, and procedures, in a private APT report for customers.
The implant
The implants, named "FakeHMP," "Careto2," "Goreto," and the "MDaemon implant," allowed the attackers to carry out a variety of harmful acts in the victim environments. According to Kucherin, the MDaemon implant permitted threat actors to conduct initial reconnaissance, extract system configuration information, and execute commands for lateral movement.
He emphasizes that threat actors use FakeHMP to record microphones and keyloggers and steal confidential papers and login information. Both Careto2 and Goreto perform keylogging and screenshot capture. Careto2 also facilitates file theft, according to Georgy Kucherin, security researcher at Kaspersky.
Implications and lessons
- Vigilance Matters: Organizations must remain vigilant even when APTs go silent. The Mask’s resurgence underscores the need for continuous monitoring.
- Advanced Techniques: The group’s ability to exploit zero-day vulnerabilities highlights the importance of robust security measures.
- Global Reach: The Mask’s diverse victim pool emphasizes that cyber threats transcend borders.