Kaspersky researchers have uncovered two new malicious campaigns operated by the notorious Careto Advanced Persistent Threat (APT) group, marking their first activity since 2013. Demonstrating a remarkably high level of sophistication, the actors conducted two complex cyberespionage campaigns using a multimodal framework. This framework enables the recording of microphone input, stealing a wide range of files and data, and gaining overall control over the infected machine. The campaigns targeted organizations in Latin America and Central Africa.
Careto, an Advanced Persistent Threat (APT) group, is known for its highly sophisticated attacks primarily targeting government organizations, diplomatic entities, energy companies, and research institutions. Activity from this APT threat actor has been observed since 2007 up until 2013. Notably, there has been no news about this threat group since that time. In their quarterly report on APT trends, Kaspersky researchers are unveiling the details behind recent malicious campaigns, which they attribute to Careto.
The initial vector of infection that attackers managed to compromise the organization’s email server, which was running the MDaemon email software. This server was then infected with a distinct backdoor, granting the attacker control over the network. To propagate within the internal network, the threat actor exploited a previously unidentified bug in a security solution, enabling covert distribution of malicious implants across multiple machines. The attacker deployed four sophisticated, multi-modular implants designed with professional expertise for volumetric impact.
As a multimodal framework, the malware includes functionalities such as a microphone recorder and file stealer, with the aim of harvesting system configuration, login names, passwords, paths to directories on the local machine and more. The operators were observed to be particularly interested in the organization's confidential documents, cookies, form history, and login data for Edge, Chrome, Firefox, and Opera browsers, as well as cookies from Threema, WeChat, and WhatsApp messengers.
According to
Kaspersky's visibility, the victims targeted by the newly discovered Careto
implants are an organization in Latin America, previously compromised with
Careto in 2022, 2019, and more than 10 years ago, and an organization in
Central Africa.
‘Over the years, the Careto APT has been developing malware that demonstrates a remarkably high level of complexity. The newly discovered implants are intricate multimodal frameworks, with deployment tactics and techniques that are both unique and sophisticated. Their presence indicates the advanced nature of Careto's operations. We will continue to monitor the activities of this threat actor closely, as we expect the discovered malware to be utilized in future Careto attacks,’ comments Georgy Kucherin, Security Researcher at Kaspersky’s GReAT (Global Research and Analysis Team).
Kaspersky researchers continuously discover new tools, techniques, and campaigns launched by APT groups in cyberattacks around the world. The company’s experts monitor over 900 operations and groups, with 90% being related to espionage. The Careto campaign is described in the latest Kaspersky’s APT Q1 trend report. To learn more about other advanced campaigns, visit Securelist.com.
Further details on Careto return will be unveiled at upcoming Virus Bulletin conference.
In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:
- Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky spanning over 20 years.
- Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts
- For endpoint level detection, investigation, and timely remediation of incidents, implement EDR solutions such as Kaspersky NEXT
- In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform
About Kaspersky
Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help over 220,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.