The Mask APT Returns with Advanced Cross-Platform Malware Capabilities

December 17, 2024

A cyber espionage group known as The Mask APT, also referred to as Careto, has been associated with a new wave of attacks that targeted an unnamed Latin American organization twice, once in 2019 and again in 2022. According to an analysis published last week by Kaspersky researchers Georgy Kucherin and Marc Rivero, "The Mask APT is a legendary threat actor that has been performing highly sophisticated attacks since at least 2007. Their targets are usually high-profile organizations, such as governments, diplomatic entities and research institutions."

The threat actor, which was first documented by Kaspersky in 2014, has targeted over 380 unique victims since 2007. The group typically gains initial access to target networks via spear-phishing emails containing links to a malicious website designed to exploit browser-based zero-day vulnerabilities, such as CVE-2012-0773, to infect visitors.

The Mask APT has also developed a comprehensive malware arsenal capable of targeting Windows, macOS, Android, and iOS platforms. In 2022, Kaspersky identified the group targeting a Latin American organization using an undetermined method to gain a foothold and maintain persistence by exploiting an MDaemon webmail component called WorldClient. "The persistence method used by the threat actor was based on WorldClient allowing loading of extensions that handle custom HTTP requests from clients to the email server," the researchers explained.

The threat actor reportedly compiled their own extension and added malicious entries in the WorldClient.ini file, specifying the path to the extension DLL. This rogue extension was designed to run commands for reconnaissance, file system interactions, and the execution of additional payloads. In the 2022 attack, the adversary used this method to spread to other computers within the organization's network and launch a malware implant known as FakeHMP.

This was achieved by exploiting a legitimate driver of the HitmanPro Alert software, which fails to verify the legitimacy of the DLLs it loads, allowing the malware to be injected into privileged processes during system startup. The backdoor malware has a wide range of capabilities, including accessing files, logging keystrokes, and deploying further malware onto the compromised host.

The same organization was targeted by a previous attack in 2019 that involved two malware frameworks, Careto2 and Goreto. Careto2 is an updated version of a modular framework used between 2007 and 2013 that uses several plugins to take screenshots, monitor file modifications in specified folders, and exfiltrate data to an attacker-controlled Microsoft OneDrive storage. Goreto is a Golang-based toolset that periodically connects to a Google Drive storage to retrieve commands and execute them on the machine.

"Careto is capable of inventing extraordinary infection techniques, such as persistence through the MDaemon email server or implant loading though the HitmanPro Alert driver, as well as developing complex multi-component malware," Kaspersky noted.

Latest News

• Active Exploitation of Newly Patched Apache Struts Vulnerability
• FBI Issues Warning About HiatusRAT Malware Attacks on Web Cameras and DVRs
• High-Severity Windows Kernel Bug Actively Exploited, CISA Warns
• Serbian Government Linked to NoviSpy Spyware Exploiting Qualcomm Zero-Day Vulnerabilities
• Clop Ransomware Gang Admits to Cleo Data Breach Attacks