Kaspersky Labs has unveiled research on the return of “The Mask,” also known as Careto, a legendary Advanced Persistent Threat (APT) actor. After a decade-long silence since its last known activity in 2014, Careto is back with new, sophisticated attacks targeting high-profile organizations, including governments, diplomatic entities, and research institutions.
First identified in 2007, Careto gained notoriety for its highly advanced cyber-espionage campaigns that relied on zero-day exploits and complex malware implants. According to Kaspersky, “The Mask APT is a legendary threat actor that has been performing highly sophisticated attacks since at least 2007.”
Their recent resurgence includes targeted attacks spanning from 2019 to 2024, showing that their methods have evolved, while still exhibiting continuity with their historical tactics.
Kaspersky’s latest report highlights several new techniques employed by Careto, including:
- MDaemon Email Server Exploits (2022): Careto used the MDaemon WorldClient webmail component for persistence. By loading custom malicious extensions into the server, they maintained access and interacted with the compromised system through HTTP requests. The report notes, “The persistence method used by the threat actor was based on WorldClient allowing loading of extensions that handle custom HTTP requests.”
- FakeHMP Implant (2024): Leveraging the HitmanPro Alert driver (hmpalert.sys), Careto installed a new implant, FakeHMP, capable of keystroke logging, file retrieval, and deploying further payloads. Careto exploited the driver’s inability to verify DLL legitimacy to inject malicious code into privileged processes like winlogon.exe.
- Multi-Component Malware Frameworks (2019):
- Careto2: Included plugins for configuration management, file monitoring, and screenshot capabilities.
- Goreto: Written in Go, this framework used Google Drive for command-and-control (C2) communications, executing commands and exfiltrating data.
Kaspersky attributed the campaigns to Careto with “medium to high confidence,” citing overlapping tactics, techniques, and procedures (TTPs) across their historical and recent activities. This includes the reuse of file names and plugin structures. The researchers found that “the campaigns conducted in 2007–2013 and 2019 have multiple overlaps in terms of TTPs, for instance, the use of virtual file systems for storing plugins and leveraging of COM hijacking for persistence.”
Careto’s renewed activity demonstrates their adaptability and ongoing threat to global cybersecurity. Their ability to innovate, such as using cloud storage for exfiltration and developing multi-layered malware frameworks, suggests a continued capacity for high-profile espionage. Kaspersky warns, “Ten years after we last saw Careto cyberattacks, this actor is still as powerful as before.”
Related Posts:
- Kaspersky Report: Criminals earning millions through mining malware
- Kaspersky Report: Energy Industry becomes the largest area affected by vulnerabilities in industrial automation systems
- Kaspersky Uncovers 10,000 Cyberattacks: Global Organizations Targeted
