After a ten-year hiatus, the sophisticated cyber threat group known as Careto, also recognized as “The Mask,” has re-emerged with advanced attack strategies. Security researchers have detected renewed activity from Careto, indicating a significant evolution in their methods to compromise critical infrastructure and maintain persistent access to sensitive networks. The group, which has been active since at least 2007, traditionally targeted government agencies, diplomatic missions, and research institutions. Their sudden silence in early 2014 left cybersecurity experts speculating about their future operations.
However, detailed investigations into recent targeted attack campaigns have confirmed Careto’s active return. Analysts from Securelist have identified these latest operations, including notable attacks against an organization in Latin America during 2022. This resurgence is particularly concerning due to the group’s refined approach to network infiltration and sustained control, demonstrating their enduring threat to high-profile targets and critical infrastructure.
MDaemon Email Server Exploitation and WorldClient Persistence
The Careto group’s new infection vector centers on exploiting email server infrastructure. Upon gaining initial access to a victim’s network, the attackers targeted the MDaemon email server, a critical component for organizational communication. Instead of deploying overtly malicious software, Careto employed a subtle persistence technique that leveraged MDaemon’s WorldClient webmail component.
WorldClient allows for the integration of custom extensions. The attackers created a malicious extension and then modified the WorldClient.ini configuration file. These modifications redirected HTTP requests to their custom code by setting specific parameters, such as CgiBase6 to point to “/WorldClient/mailbox” and CgiFile6 to their malicious DLL. This allowed them to interact with the malicious extension through standard webmail traffic, making the intrusion remarkably stealthy and difficult to detect amidst normal email operations.
From this established foothold, Careto deployed a previously unknown implant called FakeHMP. This was achieved through a sophisticated lateral movement strategy across the compromised network. The group adeptly utilized legitimate system drivers, specifically the HitmanPro Alert driver (hmpalert.sys), to inject their malicious code into critical Windows processes like winlogon.exe and dwm.exe. The FakeHMP implant provided the attackers with extensive surveillance capabilities, including keystroke logging, screenshot capture, file exfiltration, and the ability to deploy additional malicious payloads.
This renewed activity by the Careto hacker group highlights their adaptability and continued ability to pose a significant threat. Their resurgence demonstrates a potent combination of extensive operational experience and innovative infection methods that exploit legitimate software components for maximum stealth and long-term persistence.