Friday 4 October 14:00 - 14:30, Green room
Georgy Kucherin & Marc Rivero López (Kaspersky)
The Mask (also known as Careto) is an advanced threat actor that has been operating since at least 2007. In the past, it was observed to conduct cyberespionage campaigns that mainly targeted high-profile organizations. Attacks of this actor have always been remarkable from the technical perspective, as they commonly involve use of zero-day exploits, bootkits, and modular backdoors for different operating systems.
Over the last decade, the Mask has been doing its best to avoid getting caught by researchers: since 2014 there has not been any information about the group. Nevertheless, in our recent research we have managed to uncover a number of new campaigns of this threat actor – with the latest dated up to early 2024. In our paper we provide details about these campaigns, focusing on how the Mask has been achieving initial access, lateral movement, malware execution, and data exfiltration.
Specifically, we first describe how the Mask leveraged the MDaemon email server of one of the target organizations to gain an initial foothold inside it. We then detail how this threat actor used a previously unknown bug in a security solution to covertly spread malicious implants across machines. Afterwards, we discuss capabilities of the delivered implants, as well as the stealth measures implemented inside them.
The Mask has always conducted cyber attacks with extreme caution. Despite this, members of this threat group have still managed to make small but fatal mistakes during their recent operations. In the paper, we describe these errors, specifying how they helped not only detect the discussed malicious activities, but also perform attribution of the discovered campaigns.
At the end of our paper we present a comparison between the historical and recent attacks of The Mask to demonstrate how the operations of the group have evolved over the years.
![]() |
Georgy Kucherin Georgy Kucherin is a junior researcher at Kaspersky’s Global Research and Analysis Team and a fourth-year student at Moscow State University. He is passionate about analysis of complex malware and reverse engineering. His previous research includes attribution of the SolarWinds attack, as well as thorough investigations into APTs such as Operation Triangulation, Turla, FinFisher, APT41 and Lazarus.
|
![]() |
Marc Rivero López Marc Rivero López is a leading figure in threat intelligence and malware analysis, notably serving in the past as Head of Research in the CERT/CSIRT teams of major banks. Currently, he works as Lead Security Researcher at Kaspersky's Global Research and Analysis Team. Marc's blend of scholarly and practical expertise enables him to solve intricate security challenges. As the Computer Security Master's program coordinator at La Salle Barcelona, Marc also plays a pivotal role in shaping future professionals in cybersecurity. |
Back to VB2024 conference page