The Careto group, an advanced persistent threat (APT) that had gone quiet since 2013, has resurfaced with two new cyber espionage campaigns targeting organizations in Latin America and Central Africa. According to a recent report by Kaspersky, the group used sophisticated techniques to record audio, steal files and data, and control infected devices.
The Careto group is known for its attacks on government, diplomatic, energy, and research organizations. The latest report reveals that the new campaigns began by exploiting vulnerabilities in email servers using MDaemon software. These vulnerabilities were exploited to infect the servers with a backdoor that gave full control of the network to the attacker.
To spread internally within organizations, Careto used multimodal implants that have capabilities for microphone recording, file theft, system information harvesting, usernames and passwords harvesting from browsers and messaging applications. These implants were distributed through a security solution vulnerability exploit.
Kaspersky reports that the victims targeted by Careto’s implants in this latest attack are located in Latin America and Central Africa. These regions had already been compromised by previous attacks in 2022, 2019, as well as ten years ago. Georgy Kucherin of Kaspersky’s GReAT stated that over the years Careto has been developing highly complex malware with unique deployment tactics and techniques. The presence of these implants indicates the advanced nature of Careto’s operations. He also stated that they will continue to closely monitor their activities as they expect these malware to be used in future attacks carried out by the Careto group.
