Cyber security news for all

More

    The Mask APT Reemerges with Advanced Multi-Platform Malware Arsenal

    A covert cyber espionage entity known as The Mask has resurfaced with a sophisticated wave of multi-platform attacks targeting a Latin American organization on two separate occasions in 2019 and 2022.

    “The Mask APT is a formidable threat actor renowned for its intricate and meticulously crafted attacks, active since at least 2007,” stated Kaspersky researchers Georgy Kucherin and Marc Rivero in an analysis released last week. “Their targets predominantly include elite organizations, such as governmental bodies, diplomatic agencies, and research institutions.”

    Often referred to as Careto, the threat actor first came under scrutiny by Kaspersky in 2014, where investigations revealed that the group had compromised over 380 unique victims since its inception. The group’s origins, however, remain shrouded in mystery.


    Spear-Phishing and Multi-Stage Infiltration Tactics

    The Mask APT’s initial infiltration relies on the deployment of highly-targeted spear-phishing emails embedded with hyperlinks leading to malicious sites. These websites are rigged to execute browser-based zero-day exploits—notably vulnerabilities like CVE-2012-0773—to infect victims’ machines. Once the exploit is executed, victims are seamlessly redirected to legitimate domains such as YouTube or popular news portals, cloaking the attack in benign activity.

    Evidence points to the actor maintaining an elaborate malware arsenal compatible with Windows, macOS, Android, and iOS, underscoring their adaptability across platforms.


    Persistence and Malware Deployment via WorldClient

    In the 2022 incident, Kaspersky observed The Mask leveraging the MDaemon WorldClient webmail service as a persistence mechanism. The attackers appear to have engineered their own rogue extension for WorldClient, embedding malicious entries into the WorldClient.ini configuration file to load a custom DLL extension.

    This extension enabled an array of malicious capabilities, including system reconnaissance, file manipulation, and the execution of secondary payloads. One such payload identified was an implant named FakeHMP (hmpalert.dll), which exploited the legitimate HitmanPro Alert driver (hmpalert.sys). By exploiting the driver’s failure to validate DLL authenticity, the adversaries injected the malicious DLL into privileged processes during system startup, ensuring deep persistence.

    The FakeHMP backdoor is laden with functionalities such as:

    • File system access and manipulation
    • Keystroke logging
    • Deployment of additional malware payloads

    Additional malicious utilities observed included a microphone recorder and a file exfiltration tool, amplifying the adversary’s espionage capabilities.


    2019 Attack: Careto2 and Goreto Malware Frameworks

    Kaspersky’s investigation further revealed an earlier breach targeting the same organization in 2019, where the attackers employed two distinct malware frameworks—Careto2 and Goreto.

    1. Careto2: A revamped version of the original modular Careto framework, active between 2007–2013. It includes plugins capable of:
      • Capturing screenshots
      • Monitoring changes in specific directories
      • Exfiltrating sensitive data to a compromised Microsoft OneDrive account
    2. Goreto: A Golang-based malware suite designed to periodically connect to a Google Drive repository for command-and-control operations. Key capabilities include:
      • Uploading and downloading files
      • Fetching and executing payloads stored in Google Drive
      • Running arbitrary shell commands
      • Logging keystrokes and capturing screenshots

    New Infection Observed in 2024

    The Mask’s operations extended into early 2024, where researchers uncovered evidence of the HitmanPro Alert driver (hmpalert.sys) being leveraged once again to compromise systems. The versatility of their infection vectors and persistence mechanisms highlights the group’s ingenuity in designing unconventional yet effective attack techniques.

    Kaspersky concluded,

    “Careto showcases unparalleled innovation, exploiting obscure pathways such as MDaemon’s WorldClient extensions and stealthily loading implants via trusted drivers like HitmanPro Alert. Their multi-component, multi-platform arsenal exemplifies the depth and complexity of their operations.”

    The resurgence of The Mask APT with its multi-layered persistence strategies and modular malware arsenal signals an alarming evolution in cyber espionage tactics. By exploiting legitimate software components and maintaining platform agnosticism, The Mask epitomizes the cutting edge of stealthy, high-impact cyber threats. Organizations across the globe must remain vigilant, fortifying defenses against such meticulously crafted incursions.

    Recent Articles

    Related Stories