Mask APT Strikes Again with Advanced Multi-Platform Malware

Mask APT, also known as Careto, has resurfaced with a new wave of sophisticated attacks targeting an organization in Latin America. This notorious cyber espionage group has a long history of infiltrating high-profile entities, including governments, research institutions, and diplomatic bodies, since at least 2007.

First documented in 2014, the group’s origins remain a mystery. Initial access is often gained through spear-phishing emails containing malicious links. These links direct users to compromised websites, exploiting browser vulnerabilities to infect devices. Afterward, users are redirected to benign sites like YouTube or news portals to avoid suspicion.

Expanding Their Arsenal

Recent investigations reveal that Mask APT has developed malware capable of targeting Windows, macOS, Android, and iOS systems. For example, in 2022, the group leveraged an MDaemon webmail component, WorldClient, to maintain persistence. By modifying configuration files, they loaded malicious extensions to execute commands, steal data, and spread across networks.

One key implant, FakeHMP, exploits the legitimate HitmanPro Alert driver to bypass security and inject malware into privileged processes. This backdoor provides comprehensive control over compromised systems, enabling file access, keystroke logging, and further malware deployment.

Previous and Ongoing Attacks

The Mask APT group also conducted attacks in 2019, deploying frameworks like Careto2 and Goreto. Careto2, an updated version of earlier malware, monitors files, takes screenshots, and exfiltrates data using Microsoft OneDrive. Meanwhile, Goreto, built in Golang, interacts with Google Drive to upload files, execute commands, and deploy payloads. Both frameworks demonstrate Mask APT’s commitment to evolving its techniques.

In early 2024, another attack using the HitmanPro Alert driver revealed Mask APT’s relentless efforts to enhance its tactics. These incidents underscore the group’s ability to innovate and adapt to evade detection.

Preventing Future Attacks

Preventing such advanced threats requires a combination of technical measures and user awareness. Organizations should prioritize regular software updates and employee training on phishing risks. Employing endpoint detection and response tools, alongside strong email filtering systems, can mitigate potential breaches. Collaborative efforts between cybersecurity experts and organizations are critical to staying ahead of these sophisticated adversaries.