An APT group that has been missing for over a decade has reappeared in a cyber-espionage campaign aimed at organizations in Latin America and Central Africa.
The Mask's history Origins: The Mask first appeared in 2007, operating with stealth and sophistication.
Vanishing Act: In 2013, the group seemingly vanished, leaving behind a trail of cyber-espionage campaigns.
Unique Victims: Over the years, they targeted around 380 unique victims across 31 countries, including major players like the US, UK, France, Germany, China, and Brazil.
During that time, the Spanish-speaking threat actor claimed around 380 unique victims in 31 countries, including the United States, the United Kingdom, France, Germany, China, and Brazil.
Kaspersky researchers, who monitored Careto ten years ago and recently discovered new attacks, classified Careto's former victims as government organizations, diplomatic offices and embassies, energy, oil and gas corporations, research institutions, and private equity firms.
Sophisticated Tailored Methods According to Kaspersky, Careto group actors use specialized tactics to sneak into both victim environments, maintain persistence, and harvest information.
In both attacks, for example, it appears that the attackers got early access using the organization's MDaemon email server, a software that many small and medium-sized enterprises use.
According to Kaspersky, the attackers planted a backdoor on the server, giving them control of the network.
Careto distributed four multi-modular implants on workstations across each victim's network as part of the attack chain, exploiting a previously undisclosed weakness in a security product utilized by both.
Kaspersky's analysis did not specify the security product or weakness that Careto is exploiting in its latest operation.
The company stated that it has provided comprehensive details about Careto's recent attacks, including tactics, strategies, and procedures, in a private APT report for customers.
According to Kucherin, the MDaemon implant permitted threat actors to conduct initial reconnaissance, extract system configuration information, and execute commands for lateral movement.
He emphasizes that threat actors use FakeHMP to record microphones and keyloggers and steal confidential papers and login information.
Both Careto2 and Goreto perform keylogging and screenshot capture.
Careto2 also facilitates file theft, according to Georgy Kucherin, security researcher at Kaspersky.
Implications and lessons Vigilance Matters: Organizations must remain vigilant even when APTs go silent.
The Mask's resurgence underscores the need for continuous monitoring.
Advanced Techniques: The group's ability to exploit zero-day vulnerabilities highlights the importance of robust security measures.
Global Reach: The Mask's diverse victim pool emphasizes that cyber threats transcend borders.
This Cyber News was published on www.cysecurity.news. Publication date: Sat, 11 May 2024 16:13:06 +0000