An advanced persistent threat group that has been missing in action for more than a decade has suddenly resurfaced in a cyber-espionage campaign targeting organizations in Latin America and Central Africa.
Over that period, the Spanish-speaking threat actor claimed some 380 unique victims across 31 countries including the US, UK, France, Germany, China, and Brazil.
A Prolific Threat Actor Researchers from Kaspersky who tracked Careto 10 years ago -and also spotted its new attacks recently - have identified Careto's previous victims as including government institutions, diplomatic offices and embassies, energy, oil and gas companies, research institutions, and private equity firms.
In a blog post this week, Kaspersky reported the group as having targeted at least two organizations in its sophisticated new campaign, so far - one in Central Africa and the other in Latin America.
The focus of the attacks appears to have been on stealing confidential documents, cookies, form history, and login data for Chrome, Edge, Firefox, and Opera browsers, Kaspersky said.
The security vendor said it had also observed the attackers targeting cookies from messenger apps such as WhatsApps, WeChat, and Threema.
Custom Techniques Kaspersky characterized Careto group actors as using custom techniques to break into both victim environments, to maintain persistence on them and to harvest information.
In both attacks the attackers appear to have gained initial access via the organization's MDaemon email server - a product that many small and midsize businesses use.
The attackers then planted a backdoor on the server which gave them control over the network and also took advantage of a driver associated with the HitmanPro Alert malware scanner to maintain persistence, Kaspersky said.
As part of the attack chain, Careto exploited a previously unknown vulnerability in a security product used by both victims, to distribute four multi-modular implants on machines across each victims' network.
Kaspersky's report did not identify the security product or the vulnerability that Careto has been exploiting in its new campaign.
The company said it has included full details of Careto's latest attacks, including its tactics, techniques, and procedures, in a private APT report for customers.
The MDaemon implant enabled the threat actors to conduct initial reconnaissance activity, extract system configuration information and execute commands for lateral movement, Kucherin says.
The threat actors are using FakeHMP for microphone recording and keylogging purposes and also for stealing confidential documents and login data, he notes.
Both Careto2 and Goreto also perform keylogging and screenshot capturing.
Careto2 supports file theft as well, Kucherin says.
The Careto group is one of several threat groups that Kaspersky highlighted in a roundup of APT activity during the first quarter of 2024.
Another is Gelsemium, a threat group that has been using server-side exploits to deploy a Web shell and multiple custom tools on organizations in Palestine and, more recently, in Tajikistan and Kyrgyzstan.
Others in the roundup include North Korea's Kimsuky group, which was recently spotted abusing weak DMARC policies in a targeted phishing campaign and Iran's OilRig group, which is well known for its attacks on targets within Israel's critical infrastructure sector.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 09 May 2024 21:50:34 +0000