'The Mask' Espionage Group Resurfaces After 10-Year Hiatus

Careto, also known as "The Mask," resurfaced after a lengthy hiatus, launching a cyber-espionage campaign targeting organizations primarily in Latin America and Central Africa. This APT group was initially active from 2007 to 2013, during which it targeted a diverse range of victims across 31 countries, including prominent entities like government institutions, diplomatic offices, energy companies, research institutions, and private equity firms. Their sudden reappearance has reignited concerns about their sophisticated tactics and capabilities. Kaspersky, a cybersecurity firm that has been tracking Careto's activities for over a decade, observed the group's recent attacks targeting at least two organizations—one in Central Africa and another in Latin America. Careto's modus operandi involves stealing confidential documents, login credentials, browsing history, and cookies from popular web browsers and messaging apps like WhatsApp, WeChat, and Threema. This data can be leveraged for intelligence gathering, financial gain, or further network exploitation.

In their latest campaign, Careto demonstrated a high level of sophistication by exploiting a previously unknown vulnerability in a security product used by their targets. This allowed them to deploy four multi-modular implants, namely "FakeHMP," "Careto2," "Goreto," and the "MDaemon implant," across the compromised networks. These implants serve various purposes, including reconnaissance, keylogging, screenshot capturing, file theft, and executing commands for lateral movement within the victim environments.

Security Officer Comments:
One notable aspect of Careto's strategy is their use of the MDaemon email server as an initial entry point into the victim networks. By planting a backdoor on this server, the threat actors gained control over the network infrastructure, enabling them to persistently monitor and manipulate activities. Additionally, they exploited a driver associated with the HitmanPro Alert malware scanner to maintain their presence and evade detection. The resurgence of this APT group serves as a stark reminder of the persistent and evolving nature of cyber threats faced by businesses and governments globally.

Suggested Corrections:
Organizations can make APT groups’ lives more difficult. Here’s how:

  • Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
  • Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
  • Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
  • Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.