Ten years later, Careto’s cyberattacks return with new malicious techniques

According to Kaspersky, among the victims of this latest attack is an organization located in Latin America, which had already been involved in several previous attacks

Kaspersky analysts have discovered two new malicious campaigns carried out by the well-known Careto group, an advanced persistent threat (APT) that had last appeared in 2013. Demonstrating a high level of sophistication, the actors conducted two complex cyberespionage campaigns using a multimodal structure that allows recording the microphone input, stealing a wide range of files and data, as well as obtaining general control of an infected device. The campaigns targeted organizations in Latin America and Central Africa.

Careto, a group of advanced persistent threats (APT), is known for its sophisticated attacks on government organizations, diplomatic entities, energy companies and research institutions. The activity of this group was recorded between 2007 and 2013, and since then it has remained silent. However, Kaspersky’s latest quarterly report on APT trends reveals details about the recent malicious campaigns carried out by the Careto group, which indicate the return of their cybercriminal activity.

The initial infection vector compromised was the email server of the organization, which used MDaemon software. This server was infected with an independent backdoor, which gave the attacker full control of the network. To spread through the internal network, the group took advantage of an unidentified vulnerability in a security solution, which allowed distributing malicious implants on several computers. The attacker deployed four sophisticated, multi-model implants, designed by specialized professionals to maximize their impact.

This multimodal malware includes features such as microphone recording and file theft, with the aim of collecting system information, usernames, passwords, local directory paths and more. Operators showed a particular interest in confidential organizational documents, cookies, form histories and login data from browsers such as Edge, Chrome, Firefox and Opera, as well as cookies from messaging apps such as Threema, WeChat and WhatsApp.

According to Kaspersky, the target victims of Careto’s implants in this latest attack belong to an organization located in Latin America, which had already been engaged in previous attacks in 2022, 2019 and 10 years ago, and an organization in Central Africa.

“Over the years, Careto has been developing malware that demonstrates a remarkably high level of complexity. Newly discovered implants are multimodal structures, with unique and sophisticated deployment tactics and techniques. Their presence indicates the advanced nature of Careto’s operations. We will continue to closely monitor the activities of this threat actor, as we hope that the malware discovered will be used in future attacks carried out by the Careto group,” says Georgy Kucherin, Kaspersky’s GReAT security researcher.

To avoid falling victim to a targeted attack, Kaspersky analysts recommend:

  • Provide the SOC team with access to the latest threat intelligence (IT). The Kaspersky Threat Intelligence Portal is a unique access point for the company’s IT department, providing data and insights on cyberattacks collected by Kaspersky over more than 20 years.
  • Train the cybersecurity team to address the latest threats addressed with Kaspersky’s online training, developed by GReAT experts.
  • For timely detection, investigation and repair of incidents at endpoints, it is important to use EDR solutions such as Kaspersky NEXT.
  • In addition to adopting essential endpoint protection, an enterprise-level security solution can be used that detects advanced network-level threats at an early stage, such as the Kaspersky Anti Targeted Attack Platform.

Kaspersky analysts continually discover new tools, techniques and campaigns launched by APT groups in cyberattacks around the world. The company’s experts monitor more than 900 operations and groups, 90% of which are related to espionage. The Careto campaign is detailed in Kaspersky’s latest “APT Q1 Trend Report”. For more information about other advanced campaigns, visit Securelist.

More details about the return of the Careto group will be revealed at the next Virus Bulletin conference.