Legendary Cyber Espionage Group ‘The Mask’ Returns with Advanced Cross-Platform Attack Campaign

Legendary Cyber Espionage Group 'The Mask' Returns with Advanced Cross-Platform Attack Campaign

The Mask APT Group: Sophisticated Cyber Espionage Campaign Resurfaces

A sophisticated cyber espionage group known as The Mask (or Careto) has been discovered conducting new attacks targeting organizations in Latin America. Kaspersky researchers have identified multiple attack campaigns in 2019, 2022, and early 2024, demonstrating the group’s continued evolution and advanced capabilities.

Key Findings:
– The group has been active since 2007, primarily targeting high-profile organizations including governments, diplomatic entities, and research institutions
– Recent attacks showcase advanced persistence techniques using MDaemon webmail’s WorldClient component
– New malware frameworks identified: Careto2 and Goreto, featuring sophisticated data exfiltration capabilities

Attack Methodology:
1. Initial access through spear-phishing emails containing malicious links
2. Exploitation of browser-based zero-day vulnerabilities
3. Deployment of custom malware frameworks across multiple platforms (Windows, macOS, Android, iOS)

Latest Tools and Techniques:
– FakeHMP implant utilizing HitmanPro Alert driver vulnerability
– WorldClient extension exploitation for network persistence
– Advanced malware capabilities including:
– Keylogging
– Screenshot capture
– Microphone recording
– File system manipulation
– Command execution
– Data exfiltration through OneDrive and Google Drive

The Mask continues to demonstrate sophisticated attack methods and malware development capabilities, making it a significant threat to high-value targets globally.

Share This Article