The Mask APT Resurfaces with Sophisticated Multi-Platform Malware Arsenal
A little-known cyber espionage actor known as The Mask has been linked to a new set of attacks targeting an unnamed organization in Latin America twice in 2019 and 2022.
“The Mask APT is a legendary threat actor that has been performing highly sophisticated attacks since at least 2007,” Kaspersky researchers Georgy Kucherin and Marc Rivero said in an analysis published last week. “Their targets are usually high-profile organizations, such as governments, diplomatic entities and research institutions.”
Also known as Careto, the threat actor was previously documented by the Russian cybersecurity company over a decade ago in February 2014 as having targeted over 380 unique victims since 2007. The origins of the hacking group are currently unknown.
Initial access to target networks is facilitated by means of spear-phishing emails embedding links to a malicious website that are designed to trigger browser-based zero-day exploits to infect the visitor (e.g., CVE-2012-0773), following which they are redirected to benign sites like YouTube or a news portal.
There is also some evidence suggesting that the threat actors have developed a comprehensive malware arsenal that’s capable of targeting Windows, macOS, Android, and iOS.
Kaspersky said it identified The Mask targeting a Latin American organization in 2022, using an as-yet-undetermined method to obtain a foothold and maintain persistence by making use of an MDaemon webmail component called WorldClient.
“The persistence method used by the threat actor was based on WorldClient allowing loading of extensions that handle custom HTTP requests from clients to the email server,” the researchers said.
The threat actor is said to have compiled their own extension and configured it by adding malicious entries in the WorldClient.ini file by specifying the path to the extension DLL.
The rogue extension is designed to run commands that enable reconnaissance, file system interactions, and the execution of additional payloads. In the 2022 attack, the adversary used this method to spread to other computers inside the organization’s network and launch an implant dubbed FakeHMP (“hmpalert.dll”).
This is accomplished by means of a legitimate driver of the HitmanPro Alert software (“hmpalert.sys”) by taking advantage of the fact that it fails to verify the legitimacy of the DLLs it loads, thus making it possible to inject the malware into privileged processes during system startup.
The backdoor supports a wide range of features to access files, log keystrokes, and deploy further malware onto the compromised host. Some of the other tools delivered to the compromised systems included a microphone recorder and a file stealer.
The cybersecurity company’s investigation further found that the same organization was subjected to a prior attack in 2019 that involved the use of two malware frameworks codenamed Careto2 and Goreto.
Careto2 is an updated version of the modular framework observed between 2007 and 2013 that leverages several plugins to take screenshots, monitor file modifications in specified folders, and exfiltrate data to an attacker-controlled Microsoft OneDrive storage.
Goreto, on the other hand, is a Golang-based toolset that periodically connects to a Google Drive storage to retrieve commands and execute them on the machine. This includes uploading and downloading files, fetching and running payloads from Google Drive, and executing a specified shell command. Furthermore, Goreto incorporates features to capture keystrokes and screenshots.
That’s not all. The threat actors have also been detected using the “hmpalert.sys” driver to infect an unidentified individual or organization’s machine in early 2024.
“Careto is capable of inventing extraordinary infection techniques, such as persistence through the MDaemon email server or implant loading though the HitmanPro Alert driver, as well as developing complex multi-component malware,” Kaspersky said.