Full Report
A little-known cyber espionage actor known as The Mask has been linked to a new set of attacks targeting an unnamed organization in Latin America twice in 2019 and 2022. "The Mask APT is a legendary threat actor that has been performing highly sophisticated attacks since at least 2007," Kaspersky researchers Georgy Kucherin and Marc Rivero said in an analysis published last week. "Their targets
Analysis Summary
# Threat Actor: The Mask (Careto)
## Attribution & Identity
* **Identification:** Little-known cyber espionage actor, described as "legendary" and highly sophisticated.
* **Aliases and Associations:** Also known as **Careto**. Origins are currently unknown.
## Activity Summary
The Mask/Careto has been active since at least 2007, performing highly sophisticated attacks.
* **Historical Activity:** Documented by Kaspersky in February 2014 targeting over 380 unique victims since 2007.
* **Recent Activity:** Linked to two attacks against an unnamed organization in **Latin America** (one in 2019 and one in 2022). They were also detected using the 'hmpalert.sys' driver technique to infect an individual/organization's machine in early 2024.
* **Campaigns:** The 2019 attack utilized the Careto2 and Goreto malware frameworks. The 2022 attack focused on obtaining persistence via the MDaemon webmail server.
## Tactics, Techniques & Procedures
* **Initial Access:** Spear-phishing emails embedding links designed to trigger browser-based zero-day exploits (e.g., CVE-2012-0773), immediately redirecting the user to benign sites.
* **Persistence (2022):** Exploited a feature in the **MDaemon webmail component (WorldClient)** allowing custom HTTP request extensions. The actor compiled a rogue extension and configured the `WorldClient.ini` file to execute malicious commands for reconnaissance and payload deployment.
* **Lateral Movement/Payload Execution:** Used the legitimate driver `hmpalert.sys` (from HitmanPro Alert software) to inject implants into privileged processes at system startup, exploiting the driver's failure to verify loaded DLLs.
* **Capabilities:** The actor has demonstrated the capability to target Windows, macOS, Android, and iOS.
* [MITRE ATT&CK IDs were not explicitly provided in the text for the observed TTPs, other than the specific zero-day mentioned in initial access.]
## Targeting
* **Sectors:** Governments, diplomatic entities, and research institutions. High-profile organizations are typically targeted.
* **Geography:** An unnamed organization in **Latin America** was specifically targeted in 2019 and 2022.
* **Victims:** Unnamed high-profile organizations.
## Tools & Infrastructure
* **Malware Families/Frameworks:**
* **Careto2:** Modular framework (post-2007/2013) using plugins for screenshots, file monitoring, and exfiltrating data to **Microsoft OneDrive**.
* **Goreto:** Golang-based toolset; retrieves commands from **Google Drive**. Features include file upload/download, payload execution, keystroke capture, and screenshots.
* **FakeHMP ("hmpalert.dll"):** Implant deployed in 2022, injected using the legitimate `hmpalert.sys` driver.
* Other delivered tools include a microphone recorder and a file stealer.
* **Infrastructure:** Relies heavily on cloud storage services for command and control and exfiltration: **Microsoft OneDrive** and **Google Drive**.
## Implications
The Mask/Careto remains an extremely sophisticated and adaptive threat actor capable of developing comprehensive, multi-component malware and discovering/exploiting zero-days. Their ability to leverage legitimate software components (like the MDaemon extension mechanism or driver loading vulnerabilities) for persistence demonstrates advanced tradecraft aimed at evading traditional security controls.
## Mitigations
* Implement robust email filtering to detect and block spear-phishing links, especially those attempting browser exploitation.
* Monitor MDaemon WorldClient configurations for unauthorized custom extensions or malicious entries in `WorldClient.ini`.
* Investigate systems for unusual activity related to legitimate drivers like `hmpalert.sys` loading unauthorized DLLs or being used to inject code into privileged processes during startup.
* Implement controls to prevent the execution of known malicious components (FakeHMP, Careto2, Goreto).
* Monitor network traffic for suspicious connections to Microsoft OneDrive or Google Drive used for C2 communication or data exfiltration outside of established business workflows.