After a 10-year lull, cyber gangs have set their sights on Africa and Latin America.
The Careto group of cyber spies, also known as The Mask, has re-established itself, resuming its activity after a ten-year hiatus. They began operations in 2007 and disappeared in 2013, hitting 380 unique targets in 31 countries, including the US, UK, France, Germany, China and Brazil.
According to Kaspersky Lab researchers who tracked Careto's activities a decade ago and recently discovered the group's attacks again, cybercriminals have stepped up, targeting organizations in Latin America and Central Africa.
In the new campaign, hackers sought to steal confidential documents, auto-fill form data, login history, and cookies from Chrome, Edge, Firefox, and Opera browsers. The attackers also targeted cookies from instant messengers such as WhatsApp, WeChat, and Threema.
Georgy Kucherin, a security researcher at Kaspersky Lab, notes: "We were able to detect the latest campaigns of Careto due to our knowledge of previous campaigns organized by the group, as well as signs of compromise found during the investigation of these campaigns"
A special feature of the new attacks is that attackers use their own techniques to break into organizations ' networks. Initial access was obtained through the MDaemon email server, after which a backdoor was installed on the server, allowing hackers to control the network. In addition, a driver associated with the HitmanPro Alert malware scanner was used to maintain access.
As part of the attack, Careto exploited a previously unknown vulnerability in one of its security products to distribute four multi-module implants to each victim's networks. The implants, dubbed "FakeHMP", "Careto2", "Goreto" and "MDaemon implant", allowed for a variety of malicious activities, including intercepting microphone audio, keylogging, and stealing confidential documents and login data.
These complex multi-modal tools, as Kucherin notes, indicate a high level of operations conducted by the group.
In its report for the first quarter of 2024, Kaspersky Lab also mentions other APT groups, including Gelsemium, which previously used server exploits to install web shells and a variety of custom tools in organizations in Palestine, and more recently in Tajikistan and Kyrgyzstan.
The Careto group of cyber spies, also known as The Mask, has re-established itself, resuming its activity after a ten-year hiatus. They began operations in 2007 and disappeared in 2013, hitting 380 unique targets in 31 countries, including the US, UK, France, Germany, China and Brazil.
According to Kaspersky Lab researchers who tracked Careto's activities a decade ago and recently discovered the group's attacks again, cybercriminals have stepped up, targeting organizations in Latin America and Central Africa.
In the new campaign, hackers sought to steal confidential documents, auto-fill form data, login history, and cookies from Chrome, Edge, Firefox, and Opera browsers. The attackers also targeted cookies from instant messengers such as WhatsApp, WeChat, and Threema.
Georgy Kucherin, a security researcher at Kaspersky Lab, notes: "We were able to detect the latest campaigns of Careto due to our knowledge of previous campaigns organized by the group, as well as signs of compromise found during the investigation of these campaigns"
A special feature of the new attacks is that attackers use their own techniques to break into organizations ' networks. Initial access was obtained through the MDaemon email server, after which a backdoor was installed on the server, allowing hackers to control the network. In addition, a driver associated with the HitmanPro Alert malware scanner was used to maintain access.
As part of the attack, Careto exploited a previously unknown vulnerability in one of its security products to distribute four multi-module implants to each victim's networks. The implants, dubbed "FakeHMP", "Careto2", "Goreto" and "MDaemon implant", allowed for a variety of malicious activities, including intercepting microphone audio, keylogging, and stealing confidential documents and login data.
These complex multi-modal tools, as Kucherin notes, indicate a high level of operations conducted by the group.
In its report for the first quarter of 2024, Kaspersky Lab also mentions other APT groups, including Gelsemium, which previously used server exploits to install web shells and a variety of custom tools in organizations in Palestine, and more recently in Tajikistan and Kyrgyzstan.
