Pierluigi Paganini
December 18, 2024
Kaspersky researchers linked several targeted attacks to a cyber espionage group known as The Mask. The APT group targeted an organization in Latin America in 2019 and 2022. Threat actors accessed an MDaemon email server and used its WorldClient webmail component to maintain persistence within the compromised organization.
“The persistence method used by the threat actor was based on WorldClient allowing loading of extensions that handle custom HTTP requests from clients to the email server.” reads the analysis published by Kaspersky. “These extensions can be configured through the C:\MDaemon\WorldClient\WorldClient.ini file”
The Mask group (aka “Careto” [Spanish for “Ugly Face” or “Mask”]) is a high-profile group of state-sponsored hackers that have been targeting government agencies, diplomatic offices, embassies, diplomatic offices and energy companies.
Kaspersky first identified the APT group in 2014, but experts believe the cyber espionage campaign had already been active for over five years. At the time, Kaspersky described it as the most sophisticated APT operation they had seen to date.
The Mask APT has been active since at least 2007, it demonstrated the capability to use complex implants, often delivered through zero-day exploits.
The experts have yet to determine the origins of the APT group, they also noticed that the threat actors are Spanish-speaking and targeted more than 30 countries around the world.
In latest attacks, The Mask used malicious extension for reconnaissance, file system interactions, and payload execution.
In early 2024, attackers used the hmpalert.sys driver and Google Updater to deploy a new implant, dubbed FakeHMP, enabling file retrieval, keylogging, screenshots, and further payloads. They also deployed a microphone recorder and file stealer.
While investigating the 2022 attack, the researchers noticed that the victim organization had also suffered a 2019 attack using “Careto2” and “Goreto” frameworks. Attackers deployed Careto2 using a loader, installer, and auxiliary registry file, then maintained persistence via COM hijacking. The framework loaded plugins from a virtual file system, with plugin names hashed as DJB2 values.
“Ten years after we last saw Careto cyberattacks, this actor is still as powerful as before. That is because Careto is capable of inventing extraordinary infection techniques, such as persistence through the MDaemon email server or implant loading though the HitmanPro Alert driver, as well as developing complex multi-component malware.” concludes the report. “While we cannot estimate how long it will take for the community to discover the next attacks by this actor, we are confident that their next campaign will be as sophisticated as the previous ones.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, APT)
