The Mask's Advanced Persistent Threats

‘The Mask’, or ‘Careto’, is Spanish-speaking advanced persistent threat (APT) group that began targeting victims in 2007. For the six years that followed, the group was prolific – attacking around 380 victims in 31 countries, including China, the US, UK, Brazil, Germany, and France. 

And then in 2013, The Mask vanished. 

One of the notable characteristics of the group was its complex toolset; including sophisticated malware, a bootkit, a rootkit, and versions for Mac and Linux – as well as suspected versions for Android and iOS. 

Its customised attack strategies allowed it to hide in advanced security product systems, which position The Mask as one of the most advanced threats the cybersecurity sector has encountered. Its targets included diplomatic offices and government institutions; energy, oil and gas companies; private equity firms; and major research institutions. 

The group was tracked by researchers at Kaspersky a decade ago. And now they’ve identified new activity from The Mask. 

New malicious frameworks in action 

Researchers at Kaspersky have recently spotted two new malicious campaigns operated by The Mask – signifying that they’re back in action after a decade-long hiatus. 

Two sophisticated, highly complex cyberespionage campaigns have been operated using a multimodal framework that allows the threat group to record microphone inputs, grab files and data, and gain “overall control over the infected machine.” The targets of these campaigns were located in Latin America and Central Africa. 

Georgy Kucherin (Security Research at Kaspersky’s GReAT) said in a statement, 

“Over the years, the Careto APT has been developing malware that demonstrates a remarkably high level of complexity. The newly discovered implants are intricate multimodal frameworks, with deployment tactics and techniques that are both unique and sophisticated. Their presence indicates the advanced nature of Careto's operations. We will continue to monitor the activities of this threat actor closely, as we expect the discovered malware to be utilised in future Careto attacks.”

A reminder to keep our eyes on the past, as well as the future

Cybersecurity is a fast-paced field, and we always have our eyes on the future. With advancements in technology and a threat landscape that’s constantly growing, we’re looking out for the next big threat – new dangers that appear around every corner. 

But the resurgence of The Mask is a reminder that we have to keep an eye on the past, too. New threats aren’t always only new – sometimes, they’re built on dangers we haven’t encountered for years. 

As Kucherin told Dark Reading, "These indicators date back to 10 years ago — which is quite a long time. For companies that are planning their cybersecurity strategies, it is crucial not to overlook activities of advanced persistent threats (APTs) that have been unseen for a lot of time, as these APTs can come up with completely new, unique attacks at any time."

The Mask isn’t the only threat group that Kaspersky included in their APT activity roundup for Q1 2024. Others on the list were Gelsemium and Kimsuky – both of which have been identified in exploits with political significance. 

But it’s the Careto group that really caught our attention: highlighting the reality that organised cyber threat groups are operating a long game. They might be quiet for long periods of time – but that doesn’t mean they’re gone. 

Register now to attend Black Hat MEA 2024.