Summary:
The Mask, also known as Careto, is a highly sophisticated cyber espionage group that has been active since at least 2007, primarily targeting high-profile organizations such as governments, diplomatic entities, and research institutions. Kaspersky researchers recently linked the group to attacks on a Latin American organization in 2019 and 2022, showcasing their advanced malware capabilities and creative persistence techniques. Initial access is typically achieved through spear-phishing emails containing links to malicious websites that exploit browser-based zero-day vulnerabilities, such as CVE-2012-0773.

In the 2022 attack, The Mask leveraged the MDaemon webmail’s WorldClient component to maintain persistence by loading malicious extensions. These extensions enabled reconnaissance, file system interactions, and lateral movement within the network. The attackers deployed a backdoor named FakeHMP, exploiting the legitimate HitmanPro Alert driver to inject malicious DLLs into privileged processes during system startup. This backdoor provided capabilities such as keystroke logging, file access, and the execution of additional payloads, including tools for recording audio and stealing files.

Security Officer Comments:
Careto2, an updated version of their earlier modular framework, used plugins to capture screenshots, monitor file changes, and exfiltrate data to Microsoft OneDrive. Meanwhile, Goreto, a Golang-based toolset, connected to Google Drive to retrieve and execute commands, upload or download files, and capture keystrokes and screenshots. Kaspersky’s investigation also revealed that The Mask utilized the same driver in early 2024 to compromise another target. The Mask’s ability to develop multi-component malware, target multiple platforms (Windows, macOS, Android, iOS), and exploit legitimate software for persistence highlights the group’s adaptability and sophistication.

Suggested Corrections:

Organizations can make APT groups’ lives more difficult. Here’s how: