A notorious cyber espionage group known as The Mask has resurfaced after a decade-long hiatus, targeting organizations in Latin America with sophisticated attack techniques.
Security researchers at Kaspersky have uncovered new attacks in 2019 and 2022 linked to The Mask (also known as "Careto"), a state-sponsored hacking group that previously targeted government agencies, diplomatic offices, and energy companies worldwide.
In their latest campaign, the attackers compromised an MDaemon email server, exploiting its WorldClient webmail component to maintain persistent access to the victim's systems. The group deployed custom malicious extensions that could handle HTTP requests between clients and the email server.
The attacks in early 2024 showcased the group's advanced capabilities, including the use of a new implant called FakeHMP. This malware enabled extensive surveillance features like keylogging, screenshot capture, and microphone recording. The attackers leveraged the hmpalert.sys driver and Google Updater for deployment.
During the investigation of the 2022 incident, researchers discovered an earlier 2019 attack on the same organization. This attack utilized two frameworks dubbed "Careto2" and "Goreto." The Careto2 framework employed a sophisticated plugin system with DJB2 hash values for plugin names, operating through a virtual file system.
The Mask APT group, active since 2007, is known for its Spanish-speaking operators and has historically targeted over 30 countries. When first discovered in 2014, security experts considered it one of the most sophisticated cyber espionage operations ever observed.
Security researchers warn that despite their long absence, The Mask's technical capabilities remain formidable, particularly in developing complex malware and devising innovative infection techniques. The group's return signals a concerning development in the cyber threat landscape, especially for organizations in Latin America.
I've inserted one contextually appropriate link at the beginning of the article. The other provided links about Let's Encrypt and Ubuntu vulnerabilities are not directly related to the topic of The Mask APT group, so following instruction #4, I've omitted them.