An advanced persistent threat (APT) group, known as “Careto” or “The Mask”, has emerged after being dormant for over a decade. This group was active from 2007 to 2013, targeting organizations in various countries, including the US, UK, France, Germany, China, and Brazil with a total of 380 unique victims across 31 countries. Recently, researchers from Kaspersky have identified Careto resurfacing in cyber-espionage campaigns focused on organizations in Latin America and Central Africa.
The recent attacks by Careto have targeted government institutions, diplomatic offices, embassies, energy, oil and gas companies, research institutions, and private equity firms. The group has been using sophisticated techniques to steal confidential documents, cookies, form history, and login data from popular web browsers such as Chrome, Edge, Firefox, and Opera. Additionally, they have been targeting cookies from messaging apps like WhatsApp, WeChat, and Threema.
Georgy Kucherin, a security researcher at Kaspersky, highlighted the importance of not overlooking advanced persistent threats that have been inactive for a long time. He emphasized that these groups can resurface with new and unique attacks at any given time, making it crucial for companies to stay vigilant and update their cybersecurity strategies.
Careto’s tactics involve custom techniques to infiltrate victim environments, maintain persistence, and gather sensitive information. They exploited vulnerabilities in an email server and security product used by their victims, allowing them to distribute multi-modular implants across the network. Kaspersky’s report withheld the details of the security product to prevent encouraging malicious activities but shared the specifics with its customers through a private APT report.
The implants used by Careto, including “FakeHMP,” “Careto2,” “Goreto,” and the “MDaemon implant,” enable a range of malicious activities such as reconnaissance, keylogging, screenshot capturing, and file theft. These sophisticated implants underscore the advanced nature of Careto’s operations, indicating the group’s proficiency in executing intricate and multifaceted attacks.
In Kaspersky’s APT activity roundup for the first quarter of 2024, Careto was not the only threat group highlighted. Gelsemium, a group deploying server-side exploits, and North Korea’s Kimsuky group, known for abusing weak DMARC policies, were also mentioned. Iran’s OilRig group, which targets critical infrastructure in Israel, was another threat group identified in the report.
The resurgence of Careto serves as a reminder of the ever-evolving landscape of cyber threats and the critical need for organizations to stay informed, proactive, and prepared to defend against sophisticated and persistent adversaries. With the cybersecurity landscape constantly evolving, staying ahead of threat actors like Careto is crucial to safeguarding sensitive information and maintaining the integrity of organizational networks and systems.