The gang "Careto" or "The Mask" began operations in 2007 and suddenly vanished in 2013. During that time, the Spanish-speaking threat actor claimed around 380 unique victims in 31 countries, including the United States, the United Kingdom, France, Germany, China, and Brazil.
Kaspersky researchers, who monitored Careto ten years ago and recently discovered new attacks, classified Careto's former victims as government organizations, diplomatic offices and embassies, energy, oil and gas corporations, research institutions, and private equity firms.
According to Kaspersky, Careto group actors use specialized tactics to sneak into both victim environments, maintain persistence, and harvest information.
In both attacks, for example, it appears that the attackers got early access using the organization's MDaemon email server, a software that many small and medium-sized enterprises use. According to Kaspersky, the attackers planted a backdoor on the server, giving them control of the network. They used a driver connected with the HitmanPro Alert malware scanner to sustain persistence.
Careto distributed four multi-modular implants on workstations across each victim's network as part of the attack chain, exploiting a previously undisclosed weakness in a security product utilized by both. Kaspersky's analysis did not specify the security product or weakness that Careto is exploiting in its latest operation. However, the company stated that it has provided comprehensive details about Careto's recent attacks, including tactics, strategies, and procedures, in a private APT report for customers.
The implants, named "FakeHMP," "Careto2," "Goreto," and the "MDaemon implant," allowed the attackers to carry out a variety of harmful acts in the victim environments. According to Kucherin, the MDaemon implant permitted threat actors to conduct initial reconnaissance, extract system configuration information, and execute commands for lateral movement.
He emphasizes that threat actors use FakeHMP to record microphones and keyloggers and steal confidential papers and login information. Both Careto2 and Goreto perform keylogging and screenshot capture. Careto2 also facilitates file theft, according to Georgy Kucherin, security researcher at Kaspersky.