The Mask, or Careto, a gang of Spanish-speaking hackers, returns after 10 years of absence to deploy a new sophisticated malware campaign, for the moment in Latin America and Central Africa.
They come back and they’re even meaner. The proof is that researchers from Kaspersky’s Secure List laboratory have classified them as APT, for advanced persistent threats.
You don’t know them or perhaps don’t recognize them? It’s normal. We hadn’t seen the Spanish-speaking gang The Mask, or Careto, for 10 years. A time period that is more than sufficient, given the exponential increase in cyberpiracy, to be forgotten… or to prepare for a big comeback.
“FakeHMP”, “Careto2”, “Goreto” and “Implant MDaemon”, implants as The Mask’s new cyberattack method
The implant may be the reason for The Mask’s 10-year long absence, much like Line Dancer, used in the Cisco firewalls cyberattack in April 2024, from operating.
Implants are intentional infections by hackers. Unlike errors that can lead to malware, they are deliberately deployed by hackers after gaining access to systems. This access can be through digital or physical means. For example, a hacker can insert a USB device to plant malware on a system. Vulnerabilities don’t always take digital form. People can also be a vulnerability, such as a user falling for a Trojan horse, or an internal bad actor planting malware or stealing data.
In this case, The Mask used four of them to restart his malicious cyber machine, which Kaspersky named “FakeHMP”, “Careto2”, “Goreto” and “Implant MDaemon”. While Careto2 and Goreto specialize in keystroke and screen capture, FakeHMP aims broader, adding to these features microphone recording and theft of sensitive data, such as login credentials or classified documents. confidential. MDaemon, for his part, acted as a scout by analyzing the configuration of the victims’ systems, before executing commands using lateral movement, by handto be sure to adapt the method to the targeted network.
MDaemon, the mail server used as a gateway by The Mask for his return
According to Georgy Kucherin, security researcher at Kaspersky, the nature and method of the cyberattacks carried out recently by The Mask prove that the group left nothing to chance and remained, during its absence, on the lookout for the latest methods. “ The newly discovered implants are complex multimodal frameworks, with tactics and deployment techniques that are both unique and sophisticated. Their presence indicates the advanced nature of Careto’s operations “, he explains.
However, the return of The Mask did not come through the front door, but rather through the MDaemon messaging server, used by his two victims, which gives a small clue to the nature, if not the identity of the target. : small or medium-sized businesses. After forcing this door, they installed another one, but a back door, on this server, to take control of the network and take advantage, in passing, of the presence of the Hitman Pro virus scan, used by its companies as a substitute. of protection to put in place their famous persistence. As for the four implants, Kaspersky preferred to remain discreet about the flaw that allowed The Mask to introduce them, to avoid whetting the appetites of other gangs. Not crazy, the wasp.
Sources: Kaspersky, Dark Reading
0