Press ESC to close

Careto is back: what’s new after 10 years of silence?

AttributeDetails
Threat ActorsThe Mask (aka Careto) – Active since at least 2007, performing sophisticated attacks against high-profile organizations, including governments, diplomatic entities, and research institutions.
Campaign OverviewNewly observed attacks in 2022 and 2024 attributed to The Mask, using advanced implants and infection techniques targeting email servers, cloud storage, and leveraging persistence methods.
Target RegionsLatin America, with identified attacks against high-profile organizations in 2019, 2022, and 2024.
MethodologyPersistence via MDaemon email server extensions, lateral movement through malicious drivers and DLL injection, COM hijacking, leveraging cloud storage for data exfiltration, and TTP overlaps with historic campaigns.
Product TargetedMDaemon email servers, HitmanPro Alert drivers, system processes like winlogon.exe and dwm.exe, and cloud services like Google Drive and OneDrive.
Malware ReferenceFakeHMP implant, Careto2 framework, Goreto toolset, Careto implants.
Tools UsedWorldClient component extensions, HitmanPro Alert software driver (hmpalert.sys), malicious DLL (hmpalert.dll), Google Updater abuse, COM hijacking.
Vulnerabilities ExploitedPersistence exploits in MDaemon’s WorldClient extensions and file-based COM hijacking.
TTPsCloud-based command and control, lateral movement via scheduled tasks, malicious drivers, keystroke logging, screenshot capturing, data exfiltration, COM hijacking, plugin-based modular frameworks.
AttributionAttributed to The Mask (Careto) with medium to high confidence, based on TTP overlaps, reused file names, and unique methods linked to historical campaigns by this actor.
RecommendationsRegular patching and hardening of email servers, monitoring cloud storage for anomalous activity, securing COM objects, endpoint monitoring for malware, and advanced threat intelligence sharing.
SourceSecurelist by Kaspersky

Read full article:https://securelist.com/careto-is-back/114942/

The above summary has been generated by an AI language model

Source: Securelist by Kaspersky

Published on: December 12, 2024

Related posts:

DuneQuixote campaign targets Middle Eastern entities with “CR4T” malware US org with ‘significant presence in China’ targeted by hackers, Symantec says US sanctions Chinese cyber firm for compromising ‘thousands’ of firewalls in 2020 U.S. Charges Chinese Hacker for Exploiting Zero-Day in 81,000 Sophos Firewalls

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay Updated with Our Newsletter

Filter Posts by Date

Explore Topics