Kaspersky Lab has announced the discovery of the "most advanced" cyber espionage network, named Careto (from the Spanish word harya, erysipelas). In Russian, the network and its associated Trojan are called "Mask", in English - The Mask.
The researchers gave the name Careto to the Trojan after finding this word in the code of several of its modules. In Kaspersky's nomenclature, it is detected as Trojan. Win32 / Win64. Careto.* in the Windows version and Trojan. OSX. Careto in the Mac OS X version.
One of the most interesting features of Careto is the presence in the network of Trojans developed for various platforms, including, in addition to Windows, for Mac OS X, Linux, Android, and probably iOS.
According to Kaspersky Lab data, the target of the Careto attack, as in the case of other spy networks, was government organizations, diplomatic offices and embassies, energy and oil and gas companies, research organizations and computers of political activists.
Kaspersky says that a total of 380 targets were attacked in 31 countries around the world, including Argentina, Belgium, Bolivia, Brazil, Great Britain, Venezuela, Egypt, Spain, China, Colombia, Cuba, Libya, Norway, Poland, the United States, South Africa, and Latin America, Africa and the Middle East. Interestingly, Kaspersky researchers did not mention Russia among the Careto victim countries.
The task of the creators of Careto was to steal documents, encryption keys, VPN settings, remote access program files and other data from infected systems.
Judging by the compiler tags observed in the Trojan modules, its development began in 2007, but most of the modules were created in 2012. Currently, all known Careto command servers are in offline mode (that is, they do not have contact with infected systems), Kaspersky Lab reports. In addition, according to the company, its specialists were able to capture several servers, which allowed them to study the network.
Infection with the newly discovered Careto Trojan occurs by sending emails containing links to fake sites that can infect your PC with various malicious programs, depending on the system configuration. After successful infection, the malicious site redirects the user to a good-quality site that was linked to in the email.
Infection of the Careto system leads to consequences that Kaspersky Lab experts call catastrophic. The Trojan intercepts all communication channels of the system and has the ability to collect data of interest in it. In addition to the built-in functionality, Careto can load additional modules that can perform other malicious tasks.
Interestingly, the malicious sites themselves do not infect their users if they visit from the main page. Exploits for infection are stored on these sites in special directories, which can only be accessed by following links from sent emails.
It is important to note that the Careto Trojan is known not only in the Windows version, but also for Mac OS X. Some of the exploits contain modules apparently designed to infect computers running on Linux, but according to Kaspersky Lab experts, it is not yet clear which Linux backdoor is being used by attackers. The study of the Trojan's command server shows that there may be variants of the Trojan for Android and iOS.
The extreme complexity of the tools used by the developers allows us to call this Trojan "the most advanced" of all known ones. The ability to exploit vulnerabilities in older Kaspersky products to remain invisible in the system puts it above the famous Duqu cyberweapon, and makes it the most complex cyber threat to date, says Costin Raiu, head of Kaspersky Lab's global research center.
The high complexity of Careto and the atypically high level of self-defense suggest that this is a development made in the interests of some government and with state support. Identifying the Trojan's customer is a difficult task, Kaspersky Lab experts say, but they assume that the Trojan's developers speak Spanish. This may indicate a customer in both Spain and Latin American countries, as well as in the United States, where there are large Spanish-speaking diasporas, such as in Florida and California.
• Source: securelist.com/en/blog/208216078/The_Careto_Mask_APT_Frequently_Asked_Questions
==========
Return of the Mask: the forgotten hacker group resumes its activities
After a 10-year lull, cyber gangs have set their sights on Africa and Latin America.
The Careto group of cyber spies, also known as The Mask, has re-established itself, resuming its activity after a ten-year hiatus. They began operations in 2007 and disappeared in 2013, hitting 380 unique targets in 31 countries, including the US, UK, France, Germany, China and Brazil.
According to Kaspersky Lab researchers who tracked Careto's activities a decade ago and recently discovered the group's attacks again, cybercriminals have stepped up, targeting organizations in Latin America and Central Africa.
In the new campaign, hackers sought to steal confidential documents, auto-fill form data, login history, and cookies from Chrome, Edge, Firefox, and Opera browsers. The attackers also targeted cookies from instant messengers such as WhatsApp, WeChat, and Threema.
Georgy Kucherin, a security researcher at Kaspersky Lab, notes:: "We were able to detect the latest campaigns of Careto due to our knowledge of previous campaigns organized by the group, as well as signs of compromise found during the investigation of these campaigns"
A special feature of the new attacks is that attackers use their own techniques to break into organizations ' networks. Initial access was obtained through the MDaemon email server, after which a backdoor was installed on the server, allowing hackers to control the network. In addition, a driver associated with the HitmanPro Alert malware scanner was used to maintain access.
As part of the attack, Careto exploited a previously unknown vulnerability in one of its security products to distribute four multi-module implants to each victim's networks. The implants, dubbed "FakeHMP", "Careto2", "Goreto" and "MDaemon implant", allowed for a variety of malicious activities, including intercepting microphone audio, keylogging, and stealing confidential documents and login data.
These complex multi-modal tools, as Kucherin notes, indicate a high level of operations conducted by the group.
In its report for the first quarter of 2024, Kaspersky Lab also mentions other APT groups, including Gelsemium, which previously used server exploits to install web shells and a variety of custom tools in organizations in Palestine, and more recently in Tajikistan and Kyrgyzstan.
• Source: https://securelist.com/apt-trends-report-q1-2024/112473/
The researchers gave the name Careto to the Trojan after finding this word in the code of several of its modules. In Kaspersky's nomenclature, it is detected as Trojan. Win32 / Win64. Careto.* in the Windows version and Trojan. OSX. Careto in the Mac OS X version.
One of the most interesting features of Careto is the presence in the network of Trojans developed for various platforms, including, in addition to Windows, for Mac OS X, Linux, Android, and probably iOS.
According to Kaspersky Lab data, the target of the Careto attack, as in the case of other spy networks, was government organizations, diplomatic offices and embassies, energy and oil and gas companies, research organizations and computers of political activists.
Kaspersky says that a total of 380 targets were attacked in 31 countries around the world, including Argentina, Belgium, Bolivia, Brazil, Great Britain, Venezuela, Egypt, Spain, China, Colombia, Cuba, Libya, Norway, Poland, the United States, South Africa, and Latin America, Africa and the Middle East. Interestingly, Kaspersky researchers did not mention Russia among the Careto victim countries.
The task of the creators of Careto was to steal documents, encryption keys, VPN settings, remote access program files and other data from infected systems.
Judging by the compiler tags observed in the Trojan modules, its development began in 2007, but most of the modules were created in 2012. Currently, all known Careto command servers are in offline mode (that is, they do not have contact with infected systems), Kaspersky Lab reports. In addition, according to the company, its specialists were able to capture several servers, which allowed them to study the network.
Infection with the newly discovered Careto Trojan occurs by sending emails containing links to fake sites that can infect your PC with various malicious programs, depending on the system configuration. After successful infection, the malicious site redirects the user to a good-quality site that was linked to in the email.
Infection of the Careto system leads to consequences that Kaspersky Lab experts call catastrophic. The Trojan intercepts all communication channels of the system and has the ability to collect data of interest in it. In addition to the built-in functionality, Careto can load additional modules that can perform other malicious tasks.
Interestingly, the malicious sites themselves do not infect their users if they visit from the main page. Exploits for infection are stored on these sites in special directories, which can only be accessed by following links from sent emails.
It is important to note that the Careto Trojan is known not only in the Windows version, but also for Mac OS X. Some of the exploits contain modules apparently designed to infect computers running on Linux, but according to Kaspersky Lab experts, it is not yet clear which Linux backdoor is being used by attackers. The study of the Trojan's command server shows that there may be variants of the Trojan for Android and iOS.
The extreme complexity of the tools used by the developers allows us to call this Trojan "the most advanced" of all known ones. The ability to exploit vulnerabilities in older Kaspersky products to remain invisible in the system puts it above the famous Duqu cyberweapon, and makes it the most complex cyber threat to date, says Costin Raiu, head of Kaspersky Lab's global research center.
The high complexity of Careto and the atypically high level of self-defense suggest that this is a development made in the interests of some government and with state support. Identifying the Trojan's customer is a difficult task, Kaspersky Lab experts say, but they assume that the Trojan's developers speak Spanish. This may indicate a customer in both Spain and Latin American countries, as well as in the United States, where there are large Spanish-speaking diasporas, such as in Florida and California.
• Source: securelist.com/en/blog/208216078/The_Careto_Mask_APT_Frequently_Asked_Questions
==========
Return of the Mask: the forgotten hacker group resumes its activities
After a 10-year lull, cyber gangs have set their sights on Africa and Latin America.
The Careto group of cyber spies, also known as The Mask, has re-established itself, resuming its activity after a ten-year hiatus. They began operations in 2007 and disappeared in 2013, hitting 380 unique targets in 31 countries, including the US, UK, France, Germany, China and Brazil.
According to Kaspersky Lab researchers who tracked Careto's activities a decade ago and recently discovered the group's attacks again, cybercriminals have stepped up, targeting organizations in Latin America and Central Africa.
In the new campaign, hackers sought to steal confidential documents, auto-fill form data, login history, and cookies from Chrome, Edge, Firefox, and Opera browsers. The attackers also targeted cookies from instant messengers such as WhatsApp, WeChat, and Threema.
Georgy Kucherin, a security researcher at Kaspersky Lab, notes:: "We were able to detect the latest campaigns of Careto due to our knowledge of previous campaigns organized by the group, as well as signs of compromise found during the investigation of these campaigns"
A special feature of the new attacks is that attackers use their own techniques to break into organizations ' networks. Initial access was obtained through the MDaemon email server, after which a backdoor was installed on the server, allowing hackers to control the network. In addition, a driver associated with the HitmanPro Alert malware scanner was used to maintain access.
As part of the attack, Careto exploited a previously unknown vulnerability in one of its security products to distribute four multi-module implants to each victim's networks. The implants, dubbed "FakeHMP", "Careto2", "Goreto" and "MDaemon implant", allowed for a variety of malicious activities, including intercepting microphone audio, keylogging, and stealing confidential documents and login data.
These complex multi-modal tools, as Kucherin notes, indicate a high level of operations conducted by the group.
In its report for the first quarter of 2024, Kaspersky Lab also mentions other APT groups, including Gelsemium, which previously used server exploits to install web shells and a variety of custom tools in organizations in Palestine, and more recently in Tajikistan and Kyrgyzstan.
• Source: https://securelist.com/apt-trends-report-q1-2024/112473/
