After a decade of disappearing from the cybersecurity landscape, the Careto threat group, also known as \u201cThe Mask,\u201d has resurfaced with sophisticated new attack methods targeting high-profile organizations. <\/p>\n
Security researchers have identified fresh evidence of Careto\u2019s activity, revealing how the group evolved its tactics to compromise critical infrastructure and maintain persistent access to sensitive networks.<\/p>\n
The Careto group has been conducting advanced cyberattacks since at least 2007, traditionally focusing on government agencies, diplomatic entities, and research institutions. Careto aka The Mask resurfaces after a decade, launching advanced attacks on high-profile targets and critical infrastructure.<\/p>\n
Known for deploying zero-day exploits to deliver complex implants, Careto remained silent after early 2014, leaving security experts uncertain about the group\u2019s future activities. <\/p>\n
However, detailed investigations into recent targeted attack clusters have confirmed that the group is actively conducting operations once more, demonstrating an alarming return to prominence.<\/p>\n
Securelist analysts and researchers identified<\/a> the group\u2019s recent campaigns, with notable evidence of attacks targeting an organization in Latin America during 2022. <\/p>\n What makes this resurgence particularly concerning is the group\u2019s refined approach to gaining and maintaining control within compromised networks.<\/p>\n The group\u2019s new infection method reveals a shift toward email infrastructure targeting. Upon breaching a victim\u2019s network, attackers gained access to the MDaemon email server, a critical communication hub. <\/p>\n Rather than deploying obvious malware<\/a>, Careto used a clever persistence technique leveraging MDaemon\u2019s WorldClient webmail component, which allows loading custom extensions.<\/p>\n The attackers compiled a malicious extension and modified the WorldClient.ini configuration file, adding entries that redirected HTTP requests to their custom code. <\/p>\n Specifically, they configured the CgiBase6 parameter to point toward \u201c\/WorldClient\/mailbox\u201d and set CgiFile6 to their malicious DLL, allowing them to interact with the extension through normal webmail traffic. <\/p>\n This technique proved remarkably effective because it blended with legitimate email operations<\/a>.<\/p>\n From this foothold, Careto deployed the previously unknown FakeHMP implant across the network using a sophisticated lateral movement strategy. <\/p>\n The group leveraged legitimate system drivers, particularly the HitmanPro Alert driver (hmpalert.sys), to inject malicious code into privileged Windows processes like winlogon.exe and dwm.exe. <\/p>\n The FakeHMP implant provided the attackers with comprehensive surveillance<\/a> capabilities, including keystroke logging, screenshot capture, file retrieval, and additional payload deployment.<\/p>\n This resurgence demonstrates that Careto remains a formidable threat, combining decades of operational experience with innovative infection methods that exploit legitimate software components for maximum stealth and persistence.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Careto Hacker Group is Back After 10 Years of Silence with New Attack Tactics<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nMDaemon Email Server Exploitation and WorldClient Persistence<\/strong><\/h2>\n
![\"Authentication](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgNyQFwGmnktM_KaBrbhw5o9cTnZFa7Gr_6Tg6czOsDGmteJtAKcnY1a5G3aW3b9sBxX-sXuzEmjIZHKwiIi-8bR8-wqch8Lq1s5q0-OQDAREalfj3XyXnpm8hge2Ty4U3b66wlGp-Qfw5U3TgM6iyIqsxQTBTqaricxrddwrs5zewkYnELRqnYPPbLIA8\/s16000\/Authentication%2520panel%2520of%2520the%2520WorldClient%2520component%2520%28Source%2520-%2520Securelist%29.webp?ssl=1\")