The legendary Careto threat actor, also known as “The Mask,” has resurfaced after a decade-long disappearance, employing sophisticated new attack methods that demonstrate the group’s continued evolution and technical prowess.
Kaspersky researchers unveiled these findings during the 34th Virus Bulletin International Conference in October, marking the first significant discovery of Careto activity since early 2014.
The Mask APT has been conducting highly sophisticated cyberattacks since at least 2007, primarily targeting high-profile organizations, including governments, diplomatic entities, and research institutions.
Their signature approach involves deploying complex implants, often delivered via zero-day exploits, making them among the most formidable threat actors in the cybersecurity landscape.
Kaspersky’s latest research uncovered two notable targeted attack clusters, including a 2022 compromise of a Latin American organization.
In this attack, threat actors gained access to an MDaemon email server and leveraged an unprecedented persistence method involving the WorldClient webmail component.
The attackers exploited WorldClient’s extension-loading capability, which allows custom HTTP request handling through the WorldClient.ini configuration file.
By compiling a malicious extension and adding entries for CgiBase6 and CgiFile6 parameters, the adversaries established persistent access via HTTP requests to the webmail server domain. This extension implemented commands for reconnaissance, file system interactions, and payload execution.
FakeHMP Implant and Lateral Movement
The threat actor demonstrated advanced lateral movement capabilities by exploiting a legitimate HitmanPro Alert driver (hmpalert.sys).
Attackers uploaded four files to compromised systems: the legitimate driver, a malicious DLL payload, a .bat file, and an XML file containing scheduled task descriptions.
The technique exploited the driver’s failure to verify DLL legitimacy, allowing attackers to inject their payload dubbed “FakeHMP” into privileged processes like winlogon.exe and dwm.exe during system startup.
The FakeHMP implant featured comprehensive capabilities including file retrieval, keystroke logging, screenshot capture, and payload deployment.
Careto2 employed COM hijacking for persistence and utilized a virtual file system to store plugins with capabilities including configuration management, file monitoring, screenshot capture, and data exfiltration to OneDrive storage.
In early 2024, researchers observed the group using a different delivery technique involving Google Updater, demonstrating continued tactical evolution.
Investigation revealed that the same Latin American organization was compromised in 2019 using two malicious frameworks: “Careto2” and “Goreto.”
Goreto, coded in Golang, periodically connected to Google Drive to retrieve commands supporting file download/upload, shell command execution, keylogging, and screenshot capture demonstrating the group’s embrace of cloud infrastructure for command-and-control operations.
Attribution and Technical Indicators
Kaspersky attributed these attacks with medium-to-high confidence based on multiple indicators.
File naming conventions remarkably resembled those used by The Mask between 2007-2013, including patterns like “~df01ac74d8be15ee01.tmp” and “c_27803.nls.” Plugin names such as “FileFilter,” “Storage,” and “ConfigMgr” matched historical naming schemes.
Additionally, shared TTPs including virtual file systems for plugin storage, COM hijacking persistence, and cloud storage exfiltration provided strong attribution evidence.
The Mask’s return demonstrates that sophisticated threat actors can remain dormant for extended periods while maintaining their technical capabilities.
Their ability to develop extraordinary infection techniques and complex multi-component malware ensures they remain a significant threat to high-value targets worldwide.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.