A notorious cyber-espionage group known as The Mask (or Careto) has emerged from the shadows with new malware resurfaces targeting organizations in Latin America. Security researchers at Kaspersky have uncovered evidence of the group's latest campaigns in 2019 and 2022, demonstrating their evolved capabilities across multiple platforms.
The threat actor, active since 2007, has historically targeted high-profile victims including government agencies, diplomatic entities, and research institutions. Their latest attacks showcase an expanded arsenal of sophisticated Linux malware designed for Windows, macOS, Android, and iOS systems.
In their 2022 campaign, The Mask compromised MDaemon webmail systems by injecting malicious extensions into the WorldClient component. This provided them with a foothold to conduct reconnaissance and deploy additional payloads. The group also leveraged a malware implant called FakeHMP that exploits the HitmanPro Alert software driver to spread through networks.
The 2019 attack revealed two new malware frameworks in their arsenal:
- Careto2: A modular system using plugins to capture screenshots, monitor files, and exfiltrate data to OneDrive
- Goreto: Built using Golang, this toolset connects to Google Drive for remote command execution, file operations, and keylogging
The group's initial access typically comes through carefully crafted spear-phishing emails containing links to websites that exploit browser vulnerabilities. Their persistence techniques, including the compromise of email servers and deployment of multi-component malware, demonstrate advanced technical capabilities.
Recent detections in early 2024 show The Mask continuing to exploit the HitmanPro Alert driver, indicating their ongoing operations. The group's ability to develop cross-platform malware and adapt their techniques makes them a persistent threat in the cyber-espionage landscape.