Recent research links The Mask group to a 2022 attack on a Latin American organization, exploiting an MDaemon email server and WorldClient webmail for persistent access.
The initial compromise method remains unknown, but the attack on the MDaemon server highlights the risks of outdated or poorly configured email systems. The attackers exploited a vulnerability in the WorldClient webmail component’s extension loading mechanism.
By modifying the WorldClient.ini configuration file, they introduced malicious extensions, enabling them to execute unauthorized actions and maintain persistent access to the compromised system.
These extensions intercepted HTTP requests, creating a backdoor that allowed attackers to maintain access and execute further malicious actions.
The attacker exploited WorldClient’s extension feature by creating a malicious DLL and setting malicious URLs in the CgiBase6 and CgiFile6 parameters. This enabled remote interaction with the malicious extension through HTTP requests, bypassing security and accessing sensitive data.
In 2022, attackers used a malicious extension to infiltrate a Latin American organization, executing commands to gather system data and move laterally within the network. They used legitimate tools like HitmanPro Alert’s driver alongside malicious DLLs, .bat files, and XML files to spread the infection across systems.
By exploiting a flaw in the Tpm-HASCertRetr.xml file, they scheduled tasks to run commands from ~dfae01202c5f0dba42.cmd, which installed the hmpalert.sys driver. This driver, lacking proper verification, allowed loading of malicious DLLs. Placing their payload DLLs in C:\Windows\System32\hmpalert.dll, they injected them into privileged processes like winlogon.exe and dwm.exe at startup, ensuring persistent and elevated access.
The malicious hmpalert.dll payload, known as FakeHMP, allowed attackers to steal files, log keystrokes, capture screenshots, and deploy additional malware, including a microphone recorder and file stealer.
The attack used two frameworks, Careto2 and Goreto. Careto2, installed through a multi-stage process, employed COM hijacking for persistence and a virtual filesystem for storing plugins. Goreto, written in Golang, connected to Google Drive for command-and-control, enabling commands, keylogging, and screenshot capture.
Both frameworks showcased advanced techniques, highlighting a sophisticated threat actor likely tied to the Mask group. Despite a decade-long hiatus, Careto remains a formidable cyber threat, leveraging innovative methods like persistence through MDaemon and implant delivery via HitmanPro Alert. Future campaigns are expected to be equally complex and disruptive.
Leave A Comment