An advanced persistent threat (APT) group known as “Careto” or “The Mask” has recently resurfaced after a decade-long hiatus, launching cyber-espionage campaigns primarily targeting organizations in Latin America and Central Africa.
This group, which first emerged in 2007, seemed to disappear from the radar in 2013. However, its recent reemergence has caught the attention of cybersecurity researchers, raising concerns about the group’s capabilities and intentions. The group is likely originated in Spain.
A Prolific Threat Actor
During its initial active phase, the Careto group successfully infiltrated numerous organizations across 31 countries, including the US, UK, France, Germany, China, and Brazil. Its victims included government institutions, diplomatic offices and embassies, energy, oil and gas companies, research institutions, and private equity firms.
According to researchers from Kaspersky, who tracked Careto’s activities a decade ago and have recently detected its new attacks, the group has already targeted at least two organizations in its latest campaign, one in Central Africa and another in Latin America. The primary objective of these attacks appears to be the theft of confidential documents, cookies, form history, and login data from various web browsers and messaging applications such as WhatsApp, WeChat, and Threema.
Sophisticated Techniques of “The Mask”
Kaspersky’s analysis reveals that Careto employs custom techniques to breach victim environments, maintain persistence, and extract information. In the recent attacks, the group gained initial access through the organization’s MDaemon email server, a product commonly used by small and midsize businesses.
Once inside the network, Careto implanted a backdoor on the server, granting them control over the network. Additionally, the group exploited a previously unknown vulnerability in a security product used by both victims to distribute four multi-modular implants across the network.
These implants, named “FakeHMP,” “Careto2,” “Goreto,” and the “MDaemon implant,” enabled the threat actors to execute a variety of malicious actions, including keylogging, screenshot capturing, microphone recording, and stealing confidential documents and login data.
You may also like to read
Cyberespionage Crackdown: Israeli Investigator Arrested In London International Legal Battle
APT31 Charged for Cyberattack on Finland Parliament
Versatile Modular Implants
Each of the implants discovered in Careto’s recent attacks serves specific purposes within the victim environments:
- MDaemon implant: Conducts initial reconnaissance, extracts system configuration information, and executes lateral movement commands.
- FakeHMP: Records microphone input, captures keystrokes, and steals confidential documents and login data.
- Careto2 and Goreto: Perform keylogging, screenshot capturing, and file theft.
Unveiling APT Activities
The resurgence of Careto is part of a broader trend of increased APT activity observed by Kaspersky during the first quarter of 2024. Other threat groups highlighted in their report include Gelsemium, which has been deploying web shells and custom tools in Palestine, Tajikistan, and Kyrgyzstan, and North Korea’s Kimsuky group, which has been exploiting weak DMARC policies in targeted phishing campaigns.
Additionally, Iran’s OilRig group continues to pose a significant threat, particularly to Israel’s critical infrastructure sector.
In conclusion, the re-emergence of the Careto group underscores the persistent and evolving nature of cyber threats. Organizations must remain vigilant and continuously update their cybersecurity strategies to defend against advanced and persistent threats like Careto and others. With the threat landscape constantly evolving, proactive defence measures are essential to mitigate the risks posed by such sophisticated adversaries.
