Separate intrusions against an unnamed Latin American organization have been conducted by The Mask cyberespionage operation, also known as Careto, in 2019 and 2022, years after it was observed to have compromised nearly 400 organizations since 2007, The Hacker News reports.
After targeting the organization with the Microsoft OneDrive-targeting Careto2 and Google Drive-targeting Goreto malware frameworks in 2019, The Mask subjected the entity to yet another attack involving the exploitation of the WorldClient webmail component for persistence three years later, according to a Kaspersky analysis. Such an operation has enabled reconnaissance and the deployment of the FakeHMP implant that facilitated file access, keystroke logging, and malware compromise across the organization's computers. Kaspersky researchers also discovered another machine having been targeted by the group through a HitmanPro Alert software driver earlier this year. "Careto is capable of inventing extraordinary infection techniques, such as persistence through the MDaemon email server or implant loading though the HitmanPro Alert driver, as well as developing complex multi-component malware," said Kaspersky.