A little-known cyber espionage actor known as Mask has been linked to a new set of attacks targeting an unnamed organization in Latin America twice in 2019 and 2022.
“The Mask APT is a legendary threat that has been carrying out highly sophisticated attacks since at least 2007,” Kaspersky researchers Georgy Kucherin and Mark Rivera said in an analysis published last week. “Their targets are usually high-profile organizations such as governments, diplomatic missions and research institutions.”
Also known as Careto, the threat actor was previously documented by a Russian cyber security company more than ten years ago in February 2014. since 2007 she sent over 380 unique victims. The origin of the hacker group is currently unknown.
Initial access to target networks is available contributed with phishing emails that embed links to a malicious website designed to launch zero-day exploits in the browser to infect the visitor (such as CVE-2012-0773) and then redirect them to benign sites such as YouTube or a news portal .
There is also some evidence that threat actors have developed an extensive arsenal of malware capable of targeting Windows, macOS, Android, and iOS.
Kaspersky said it identified The Mask in 2022 targeting a Latin American organization using an as-yet-unspecified method to gain a foothold and maintain persistence using MDaemon’s webmail component called WorldClient.
“The storage method used by the threat was based on WorldClient allowing the loading of extensions that handle custom HTTP requests from clients to the email server,” the researchers said.
The perpetrator is said to have compiled his own extension and customized it by adding malicious entries to the WorldClient.ini file, pointing to the extension’s DLL path.
The rogue extension is designed to execute commands that provide intelligence, interact with the file system, and execute additional payloads. In the attack of 2022. an adversary used this method to spread to other computers on the organization’s network and launch an implant called FakeHMP (“hmpalert.dll”).
This is achieved by using the legitimate HitmanPro Alert software driver (“hmpalert.sys”), exploiting the fact that it does not verify the legitimacy of the DLLs it loads, making it possible to inject malware into privileged processes during system startup.
The backdoor supports a wide range of features to access files, log keystrokes, and further deploy malware on the compromised host. Some of the other tools put into the compromised systems included a microphone recording and file-stealing software.
The cybersecurity company’s investigation also revealed that the same organization was the subject of a previous attack in 2019 that involved the use of two malware codenamed Careto2 and Goreto.
Careto2 is an updated version of the modular framework observed between 2007 and 2013, and uses several plugins to capture the screen, monitor file modifications in specific folders, and output data to Microsoft OneDrive storage, which is controlled by the attacker.
Goreto, on the other hand, is a Golang-based toolkit that periodically connects to Google Drive storage to retrieve commands and execute them on the machine. This includes downloading and uploading files, getting and running payloads from Google Drive, and executing a specified shell command. In addition, Goreto includes functions for recording keystrokes and screenshots.
That’s not all. Threat actors were also detected using the “hmpalert.sys” driver to infect the machine of an unidentified person or organization in early 2024.
“Careto is capable of inventing unusual infection methods, such as saving via the MDaemon email server or downloading an implant via the HitmanPro Alert driver, as well as developing sophisticated multi-component malware,” Kaspersky said.
