Category | Details |
---|---|
Threat Actors | The Mask (aka Careto) |
Campaign Overview | Attacks in 2019 and 2022 targeting a Latin American organization; observed activity in early 2024 targeting an unknown entity. |
Target Regions | Latin America (specific organization); Unspecified victims in other cases. |
Methodology | Spear-phishing emails with links to malicious sites exploiting browser zero-days (e.g., CVE-2012-0773); persistence through MDaemon webmail’s WorldClient extension. |
Product Targeted | MDaemon WorldClient, HitmanPro Alert software. |
Malware Reference | Careto2, Goreto, FakeHMP (“hmpalert.dll”). |
Tools Used | Malicious DLLs, microphone recorder, file stealer, modular malware frameworks. |
Vulnerabilities Exploited | CVE-2012-0773; exploits targeting HitmanPro Alert driver’s DLL validation weaknesses. |
TTPs | Spear-phishing, zero-day browser exploits, malicious DLL injection, data exfiltration via Microsoft OneDrive and Google Drive, custom implants. |
Attribution | Origins unknown; first identified in 2007 by Kaspersky. |
Recommendations | 1. Patch systems to mitigate known vulnerabilities. 2. Monitor email server configurations for suspicious changes. 3. Deploy behavioral analytics to detect anomalies. |
Source | The Hackers News |
Read full article: https://thehackernews.com/2024/12/the-mask-apt-resurfaces-with.html
The above summary has been generated by an AI language model
Leave a Reply