A bit-known cyber espionage actor referred to as The Masks has been linked to a brand new set of assaults concentrating on an unnamed group in Latin America twice in 2019 and 2022.
“The Mask APT is a legendary threat actor that has been performing highly sophisticated attacks since at least 2007,” Kaspersky researchers Georgy Kucherin and Marc Rivero mentioned in an evaluation revealed final week. “Their targets are usually high-profile organizations, such as governments, diplomatic entities and research institutions.”
Often known as Careto, the risk actor was beforehand documented by the Russian cybersecurity firm over a decade in the past in February 2014 as having focused over 380 distinctive victims since 2007. The origins of the hacking group are presently unknown.
Preliminary entry to focus on networks is facilitated by the use of spear-phishing emails embedding hyperlinks to a malicious web site which might be designed to set off browser-based zero-day exploits to contaminate the customer (e.g., CVE-2012-0773), following which they’re redirected to benign websites like YouTube or a information portal.
There may be additionally some proof suggesting that the risk actors have developed a complete malware arsenal that is able to concentrating on Home windows, macOS, Android, and iOS.
Kaspersky mentioned it recognized The Masks concentrating on a Latin American group in 2022, utilizing an as-yet-undetermined technique to acquire a foothold and keep persistence by making use of an MDaemon webmail part referred to as WorldClient.
“The persistence method used by the threat actor was based on WorldClient allowing loading of extensions that handle custom HTTP requests from clients to the email server,” the researchers mentioned.
The risk actor is alleged to have compiled their very own extension and configured it by including malicious entries within the WorldClient.ini file by specifying the trail to the extension DLL.
The rogue extension is designed to run instructions that allow reconnaissance, file system interactions, and the execution of further payloads. Within the 2022 assault, the adversary used this technique to unfold to different computer systems contained in the group’s community and launch an implant dubbed FakeHMP (“hmpalert.dll”).
That is completed by the use of a authentic driver of the HitmanPro Alert software program (“hmpalert.sys”) by benefiting from the truth that it fails to confirm the legitimacy of the DLLs it masses, thus making it potential to inject the malware into privileged processes throughout system startup.
The backdoor helps a variety of options to entry information, log keystrokes, and deploy additional malware onto the compromised host. A few of the different instruments delivered to the compromised methods included a microphone recorder and a file stealer.
The cybersecurity firm’s investigation additional discovered that the identical group was subjected to a previous assault in 2019 that concerned using two malware frameworks codenamed Careto2 and Goreto.
Careto2 is an up to date model of the modular framework noticed between 2007 and 2013 that leverages a number of plugins to take screenshots, monitor file modifications in specified folders, and exfiltrate information to an attacker-controlled Microsoft OneDrive storage.
Goreto, however, is a Golang-based toolset that periodically connects to a Google Drive storage to retrieve instructions and execute them on the machine. This contains importing and downloading information, fetching and working payloads from Google Drive, and executing a specified shell command. Moreover, Goreto incorporates options to seize keystrokes and screenshots.
That is not all. The risk actors have additionally been detected utilizing the “hmpalert.sys” driver to contaminate an unidentified particular person or group’s machine in early 2024.
“Careto is capable of inventing extraordinary infection techniques, such as persistence through the MDaemon email server or implant loading though the HitmanPro Alert driver, as well as developing complex multi-component malware,” Kaspersky mentioned.
