Researchers reported a resurgence of activity by the Careto APT (Advanced Persistent Threat) group, also known as “The Mask,” after a decade of apparent dormancy.
The analysis focused on attacks observed in 2019, 2022, and 2024, as Careto appears to be leveraging custom tools and techniques, with some functionalities overlapping across the observed campaigns.
The configuration parameters for a potential Careto framework that has been given the name “Careto2” are thought to be managed by a dynamic link library (DLL) with the name “ConfigMgr.dll.”
A different DLL called “FileFilter.dll” gives the impression that the organization is able to monitor file modifications in the systems that are being targeted.
The “Storage.dll” component is most likely responsible for the storage of stolen data, whereas the “Kodak.dll” component raises concerns about the ability of the advanced persistent threat to capture screenshots.
Comm.dll, which is responsible for uploading stolen information to OneDrive storage that is controlled by the attacker, appears to be the component that is responsible for exfiltration.
Analysis by the Secure List of the commands employed by Careto revealed functionalities for downloading and executing files retrieved from Google Drive, potentially after decryption.
After the files have been encrypted, the Advanced Persistent Threat (APT) has the ability to upload them to Google Drive and execute arbitrary shell commands within the compromised system.
Even after ten years have passed since the initial observation, the threat actor known as Careto continues to possess remarkable cyberattack capabilities.
This persistence stems from their ability to innovate infection techniques, including exploiting vulnerabilities in MDaemon email servers for persistent infections and leveraging the HitmanPro Alert driver for implant loading.
Careto develops intricate multi-component malware. While predicting the timing of their next campaign is challenging, their history suggests future operations will likely exhibit the same high level of sophistication as past attacks.
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Critical Writable File in Lenovo’s Windows Directory Lets Attackers Bypass AppLocker")
%20group,%20also%20known%20as%20"The%20Mask,"%20after%20a%20decade%20of%20apparent%20dormancy.%C2%A0){kind=link}