The Mask APT Resurfaces with Sophisticated Multi-Platform Malware Arsenal

Summary:
The Mask, also known as Careto, is a highly sophisticated cyber espionage group that has been active since at least 2007, primarily targeting high-profile organizations such as governments, diplomatic entities, and research institutions. Kaspersky researchers recently linked the group to attacks on a Latin American organization in 2019 and 2022, showcasing their advanced malware capabilities and creative persistence techniques. Initial access is typically achieved through spear-phishing emails containing links to malicious websites that exploit browser-based zero-day vulnerabilities, such as CVE-2012-0773.

In the 2022 attack, The Mask leveraged the MDaemon webmail’s WorldClient component to maintain persistence by loading malicious extensions. These extensions enabled reconnaissance, file system interactions, and lateral movement within the network. The attackers deployed a backdoor named FakeHMP, exploiting the legitimate HitmanPro Alert driver to inject malicious DLLs into privileged processes during system startup. This backdoor provided capabilities such as keystroke logging, file access, and the execution of additional payloads, including tools for recording audio and stealing files.

Security Officer Comments:
Careto2, an updated version of their earlier modular framework, used plugins to capture screenshots, monitor file changes, and exfiltrate data to Microsoft OneDrive. Meanwhile, Goreto, a Golang-based toolset, connected to Google Drive to retrieve and execute commands, upload or download files, and capture keystrokes and screenshots. Kaspersky’s investigation also revealed that The Mask utilized the same driver in early 2024 to compromise another target. The Mask’s ability to develop multi-component malware, target multiple platforms (Windows, macOS, Android, iOS), and exploit legitimate software for persistence highlights the group’s adaptability and sophistication.

Suggested Corrections:

Organizations can make APT groups’ lives more difficult. Here’s how:

  • Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
  • Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
  • Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
  • Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.

Link(s):
https://thehackernews.com/2024/12/the-mask-apt-resurfaces-with.html

https://securelist.com/careto-is-back/114942/