Analysis Summary

Two attacks in 2019 and 2022 against an unidentified entity in Latin America have been connected to a little-known cyber espionage operator called The Mask. Since at least 2007, the threat actor has been carrying out extremely complex attacks. Typically, they target well-known institutions like governments, diplomatic missions, and research centers.

In February 2014, the researchers revealed that the threat actor, also known as Careto, had targeted more than 380 distinct victims since 2007. At this time, the APT group's origins are unknown. Spear-phishing emails that embed links to malicious websites that are intended to infect the visitor with browser-based zero-day exploits (e.g., CVE-2012-0773) allow initial access to target networks. After that, the visitor is redirected to safe websites like YouTube or a news portal.

Additionally, there is evidence that the threat actors have created a wide range of malware that can attack iOS, Android, Windows, and macOS. According to the researchers, The Mask was targeting a Latin American firm in 2022 and was employing an as-yet-unidentified strategy to gain traction and stay persistent by utilizing the WorldClient MDaemon webmail component.

The threat actor's persistence strategy relied on WorldClient's ability to load extensions that manage unique HTTP requests sent from clients to the email server. By adding malicious lines to the WorldClient.ini file and providing the path to the extension DLL, the threat actor is said to have constructed and configured their extension.

The purpose of the rogue extension is to execute instructions that facilitate file system interactions, reconnaissance, and the delivery of extra payloads. The adversary employed this technique in the 2022 attack to propagate to further machines within the company's network and introduce an implant known as FakeHMP ("hmpalert.dll"). To do this, a genuine driver of the HitmanPro Alert program ("hmpalert.sys") exploits the fact that it does not confirm the authenticity of the DLLs it loads, allowing the malware to be injected into privileged processes as the system is starting up.

Numerous functionalities are supported by the backdoor, including file access, keystroke logging, and the ability to install other malware on the infected host. A microphone recorder and a file stealer were among the additional tools that were sent to the infected systems. The analysis also revealed that two malware frameworks with the codenames Careto2 and Goreto were used in a previous attack on the same organization in 2019.

Updated from 2007 to 2013, Careto2 is a modular system that uses many plugins to capture screenshots, track file changes in designated folders, and send stolen information to an attacker-controlled Microsoft OneDrive storage account. In contrast, Goreto is a Golang-based toolkit that connects to a Google Drive storage account regularly to obtain commands and run them on the computer. This involves launching a designated shell command, retrieving and executing payloads from Google Drive, and uploading and downloading files. Goreto also includes tools for taking screenshots and recording keystrokes.

But that's not all. Early in 2024, it was discovered that the threat actors were infecting an unidentified person or organization's computer with the "hmpalert.sys" driver. Careto may create sophisticated multi-component malware and create unique infection methods like persistence via the MDaemon email server or implant loading via the HitmanPro Alert driver.

Impact

• Cyber Espionage
• Identity Theft
• Unauthorized Access
• Sensitive Data Theft

Remediation

• Regularly change passwords for all accounts and use strong, unique passwords for sensitive accounts.
• Carefully check the URLs before entering credentials or downloading software.
• Implement multi-factor authentication (MFA) on all accounts to add an extra layer of security to login processes.
• Consider the use of phishing-resistant authenticators to further enhance security. These types of authenticators are designed to resist phishing attempts and provide additional protection against social engineering attacks.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• Never trust or open links and attachments received from unknown sources/senders.