Kaspersky researchers have uncovered two new malicious campaigns operated by the notorious Careto Advanced Persistent Threat (APT) group, marking their first activity since 2013. Demonstrating a remarkably high level of sophistication, the actors conducted two complex cyberespionage campaigns using a multimodal framework. This framework enables the recording of microphone input, stealing a wide range of files and data, and gaining overall control over the infected machine. The campaigns targeted organizations in Latin America and Central Africa.
Careto, an Advanced Persistent Threat (APT) group, is known for its highly sophisticated attacks primarily targeting government organizations, diplomatic entities, energy companies, and research institutions. Activity from this APT threat actor has been observed since 2007 up until 2013. Notably, there has been no news about this threat group since that time. In their quarterly report on APT trends, Kaspersky researchers are unveiling the details behind recent malicious campaigns, which they attribute to Careto.
The initial vector of infection that attackers managed to compromise the organization’s email server, which was running the MDaemon email software. This server was then infected with a distinct backdoor, granting the attacker control over the network. To propagate within the internal network, the threat actor exploited a previously unidentified bug in a security solution, enabling covert distribution of malicious implants across multiple machines. The attacker deployed four sophisticated, multi-modular implants designed with professional expertise for volumetric impact.
As a multimodal framework, the malware includes functionalities such as a microphone recorder and file stealer, with the aim of harvesting system configuration, login names, passwords, paths to directories on the local machine and more. The operators were observed to be particularly interested in the organization’s confidential documents, cookies, form history, and login data for Edge, Chrome, Firefox, and Opera browsers, as well as cookies from Threema, WeChat, and WhatsApp messengers.
According to Kaspersky’s visibility, the victims targeted by the newly discovered Careto implants are an organization in Latin America, previously compromised with Careto in 2022, 2019, and more than 10 years ago, and an organization in Central Africa.
‘Over the years, the Careto APT has been developing malware that demonstrates a remarkably high level of complexity. The newly discovered implants are intricate multimodal frameworks, with deployment tactics and techniques that are both unique and sophisticated. Their presence indicates the advanced nature of Careto’s operations. We will continue to monitor the activities of this threat actor closely, as we expect the discovered malware to be utilized in future Careto attacks,’ comments Georgy Kucherin, Security Researcher at Kaspersky’s GReAT (Global Research and Analysis Team).