The Mask APT is a legendary threat actor that has been performing highly sophisticated attacks since at least 2007.
Kaspersky researchers have found traces of The Mask recently, identifying several cyberattacks that have been conducted by the threat actor.
One attack targeted an organization in Latin America in 2022, and the researchers established that attackers gained access to its MDaemon email server.
The researchers further discovered that attackers maintained persistence inside the organization using a unique method involving the MDaemon webmail component called WorldClient.
The persistence method used by the threat actor was based on WorldClient allowing loading of extensions that handle custom HTTP requests from clients to the email server.
The malicious extension installed by attackers implemented a set of commands associated with reconnaissance, performing file system interactions and executing additional payloads.
The attackers used scheduled tasks to launch files that would configure the malware to persist on compromised devices, and they leveraged COM hijacking via the CLSID.
The malware deployed by The Mask uses cloud storages for exfiltration and propagates across system processes.
Researchers attribute the attacks observed in 2022 and 2024 with medium to high confidence to The Mask.
The Kaspersky researchers have attributed previous attacks by The Mask as well, due to file names used by the malware and overlaps in TTPs.