Just a little-known cyber espionage actor referred to as The Masks has been linked to a brand new set of assaults focusing on an unnamed group in Latin America twice in 2019 and 2022.
“The Masks APT is a legendary menace actor that has been performing extremely refined assaults since at the least 2007,” Kaspersky researchers Georgy Kucherin and Marc Rivero mentioned in an evaluation revealed final week. “Their targets are often high-profile organizations, reminiscent of governments, diplomatic entities and analysis establishments.”
Often known as Careto, the menace actor was beforehand documented by the Russian cybersecurity firm over a decade in the past in February 2014 as having focused over 380 distinctive victims since 2007. The origins of the hacking group are presently unknown.
Preliminary entry to focus on networks is facilitated by way of spear-phishing emails embedding hyperlinks to a malicious web site which can be designed to set off browser-based zero-day exploits to contaminate the customer (e.g., CVE-2012-0773), following which they’re redirected to benign websites like YouTube or a information portal.
There’s additionally some proof suggesting that the menace actors have developed a complete malware arsenal that is able to focusing on Home windows, macOS, Android, and iOS.
Kaspersky mentioned it recognized The Masks focusing on a Latin American group in 2022, utilizing an as-yet-undetermined methodology to acquire a foothold and preserve persistence by making use of an MDaemon webmail element referred to as WorldClient.
“The persistence methodology utilized by the menace actor was primarily based on WorldClient permitting loading of extensions that deal with customized HTTP requests from shoppers to the e-mail server,” the researchers mentioned.
The menace actor is alleged to have compiled their very own extension and configured it by including malicious entries within the WorldClient.ini file by specifying the trail to the extension DLL.
The rogue extension is designed to run instructions that allow reconnaissance, file system interactions, and the execution of extra payloads. Within the 2022 assault, the adversary used this methodology to unfold to different computer systems contained in the group’s community and launch an implant dubbed FakeHMP (“hmpalert.dll”).
That is achieved by way of a reliable driver of the HitmanPro Alert software program (“hmpalert.sys”) by profiting from the truth that it fails to confirm the legitimacy of the DLLs it masses, thus making it doable to inject the malware into privileged processes throughout system startup.
The backdoor helps a variety of options to entry information, log keystrokes, and deploy additional malware onto the compromised host. A few of the different instruments delivered to the compromised techniques included a microphone recorder and a file stealer.
The cybersecurity firm’s investigation additional discovered that the identical group was subjected to a previous assault in 2019 that concerned the usage of two malware frameworks codenamed Careto2 and Goreto.
Careto2 is an up to date model of the modular framework noticed between 2007 and 2013 that leverages a number of plugins to take screenshots, monitor file modifications in specified folders, and exfiltrate knowledge to an attacker-controlled Microsoft OneDrive storage.
Goreto, then again, is a Golang-based toolset that periodically connects to a Google Drive storage to retrieve instructions and execute them on the machine. This consists of importing and downloading information, fetching and working payloads from Google Drive, and executing a specified shell command. Moreover, Goreto incorporates options to seize keystrokes and screenshots.
That is not all. The menace actors have additionally been detected utilizing the “hmpalert.sys” driver to contaminate an unidentified particular person or group’s machine in early 2024.
“Careto is able to inventing extraordinary an infection strategies, reminiscent of persistence via the MDaemon e mail server or implant loading although the HitmanPro Alert driver, in addition to creating advanced multi-component malware,” Kaspersky mentioned.