Security Architecture, Application security, Endpoint/Device Security, Endpoint/Device Security, Threat Management, Malware, Phishing, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

EFF, Lookout uncover Dark Caracal spy group

A new threat actor named Dark Caracal and working out of a building operated by the Lebanese General Directorate of General Security (GDGS) has been fingered by Lookout and the Electronic Frontier Foundation (EFF) as being behind cyberattacks hitting thousands of victims in more than 20 nations worldwide.

The EFF and Lookout report indicated that Dark Caracal has stolen hundreds of gigabytes of data to include enterprise intellectual property and personally identifiable information from governments, military targets, utilities, financial institutions, manufacturing companies, and defense contractors. The report said the GDGS is known to gather cyber intelligence to bolster its offensive cyber capabilities.

The group is believed to be currently running six distinct and concurrently operating campaigns some of which have been in operation since 2012.

Dark Caracal has ties to a previous operation uncovered by the EFF during its Operation Manul campaign which targeted journalists, lawyers, and dissidents critical of the Kazakhstan government.

The malicious group usual modus operandi is to use trojanized Android apps to install an APT normally utilizing social media, phishing and sometimes physical access to compromise a targeted system. The malware employed by Dark Caracal ranges from a custom-developed mobile spy tool called Pallas along with the more commonly used found FinFisher, Bandook RAT and other tools that are bought or rented off the Dark Web.

A standard Dark Caracal attack starts with a lure placed on a Facebook group and WhatsApp messages. These normally included political messages or links to Facebook groups that Dark Caracal believes would interest the victim. Successful WhatsApp phishing attacks then lead the victim to a watering hole server, while those hooked via Facebook were sent to a specially constructed malicious website using a fake Google, Facebook or Twitter domain. In some cases the Facebook targets would go to the watering hole server.

No matter which server the victims landed on the target would be served a series of trojanized Android Apps, which after installation would begin communicating with a command and control server found at adobeair[.] net.

The EFF and Lookout's investigation was able to identify four “personas”, two phone numbers and two domains associated with Dark Caracal, all of which are somehow connected to the email address op13@mail[.]com.

“Aliases associated with op13@mail[.]com include Nancy Razzouk, Hadi Mazeh, and Rami Jabbour. All of the physical addresses listed in the WHOIS domain registrations associated with op13@mail[.]com tend to cluster around the SSID: Bld3F6 Wi-Fi locations. This is near the General Security building in Beirut,” the report stated.

Once inside a victim's device it would spread to encompass both desktop and mobile platforms gathering stored images, texts and even using a phone to snap photos of what the owner was doing. The report noted that largest amount of data came via six Android campaigns that eventually delivered 48GB of information to the adobeair[.] net. This server also had an additional 33GB of information harvested through Windows campaigns.

The countries hit included the United States, China, France, India, South Korea and several Middle Eastern nations.

The type of data exfiltrated is almost as diverse as the victimized countries. In its Androd campaigns the report noted that Dark Caracal was interested in SMS text messages were particularly popular and included the users two-factor authentication and one-time password pins, (some still valid) receipts and airline reservations, and company communications. Mobile contact lists, call logs, Wi-Fi network details and audio recordings were also snatched.

The Windows malware grabbed screenshots, corporate and legal documentation and even iPhone back up logs. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.