Careto APT resurfaces after 10 years with new malicious frameworks

Woburn, MA – May 9, 2024 – Kaspersky researchers have uncovered two new malicious campaigns operated by the notorious Careto Advanced Persistent Threat (APT) group, marking its first activity since 2013. Demonstrating a remarkably high level of sophistication, the actors conducted two complex cyberespionage campaigns using a multimodal framework. This framework enables the recording of microphone input, stealing a wide range of files and data, and gaining overall control over the infected machine. The campaigns targeted organizations in Latin America and Central Africa.

Careto, an Advanced Persistent Threat (APT) group, is known for its highly sophisticated attacks primarily targeting government organizations, diplomatic entities, energy companies, and research institutions. Activity from this APT threat actor was first observed from 2007 until 2013. Notably, there has been no news about this threat group since that time. The new findings are included in Kaspersky’s quarterly report on APT trends, which captures details on recent malicious campaigns.

The initial vector of infection involved the attackers managing to compromise the organization’s email server, which was running the MDaemon email software. This server was then infected with a distinct backdoor, granting the attacker control over the network. To propagate within the internal network, the threat actor exploited a previously unidentified bug in a security solution, enabling covert distribution of malicious implants across multiple machines. The attacker deployed four sophisticated, multi-modular implants designed with professional expertise for volumetric impact.

As a multimodal framework, the malware includes functions such as a microphone recorder and file stealer, with the aim of harvesting system configuration, login names, passwords, paths to directories on the local machine and more. The operators were observed to be particularly interested in the organization's confidential documents, cookies, form history, and login data for Edge, Chrome, Firefox, and Opera browsers, as well as cookies from Threema, WeChat, and WhatsApp messengers.

According to Kaspersky's visibility, the victims targeted by the newly discovered Careto implants are an organization in Latin America and an organization in Central Africa.

“Over the years, the Careto APT has been developing malware that demonstrates a remarkably high level of complexity,” said Georgy Kucherin, security researcher at Kaspersky’s GReAT (Global Research and Analysis Team). “The newly discovered implants are intricate multimodal frameworks, with deployment tactics and techniques that are both unique and sophisticated. Their presence indicates the advanced nature of Careto's operations. We will continue to monitor the activities of this threat actor closely, as we expect the discovered malware to be utilized in future Careto attacks.”

Kaspersky researchers continuously discover new tools, techniques, and campaigns launched by APT groups in cyberattacks around the world. The company’s experts monitor over 900 operations and groups, with 90% being related to espionage. The Careto campaign is described in Kaspersky’s APT Q1 trends report. To learn more about other advanced campaigns, visit Securelist.com.

Further details on Careto’s return will be unveiled at upcoming Virus Bulletin conference.

In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:

·       Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky spanning over 20 years.

·       Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts

·       For endpoint level detection, investigation, and timely remediation of incidents, implement EDR solutions such as Kaspersky NEXT

·       In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform