- Sep 20, 2017
- 93
text from security now
Dark Caracal Technical Report : https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdfThis is a global cyber-espionage campaign being managed and run from the building of the
General Directorate of General Security (GDGS) in Beirut, Lebanon.
The GDGS is known to gather intelligence for national security purposes and for its offensive
cyber capabilities.
Dark Caracal is reusing the same infrastructure -- command and control servers, IP addresses,
hosting and database providers, domain registrars, etc. -- as was previously seen in the
Operation Manul campaign, which targeted journalists,
lawyers, and dissidents critical of the government of Kazakhstan.
The Dark Caracal effort has been conducting a multi-platform, Advanced Persistence Threat
(APT)-level surveillance operation targeting individuals and institutions globally.
Hundreds of gigabytes of data has been identified as having been exfiltrated from thousands of
victims, spanning 21+ countries in North America, Europe, the Middle East, and Asia.
The mobile component of this APT is one of the first we’ve seen executing espionage on a global
scale.
Analysis shows Dark Caracal successfully compromised the devices of military personnel,
enterprises, medical professionals, activists, journalists, lawyers, and educational institutions.
Dark Caracal targets also include governments, militaries,
utilities, financial institutions, manufacturing companies, and defense contractors.
Types of exfiltrated data include documents, call records, audio recordings, secure messaging
client content, contact information, text messages, photos, and account data.
Dark Caracal follows the typical attack chain for cyber-espionage, relying primarily upon social
media, phishing, and in some cases physical access to compromise target systems, devices, and
accounts.
Some of Dark Caracal's espionage technology appears to have been developed in house -- and is
shared among various campaigns -- and other technology is purchased from or borrowed from
the dark web.
Lookout first discovered the presence of "Pallas" -- an implant used in multiple Trojanized
Android applications -- in May 2017.
Dark Caracal also makes extensive use of a Windows malware known as Bandook RAT (RAT =
Remote Access Trojan). And Dark Caracal also uses a previously unknown multi-platform
(Windows/OSX/Linux) tool, written in JAVA, which Lookout and the EFF have dubbed: CrossRAT.
Dark Caracal employs a continuously evolving global network infrastructure. The infrastructure
operators prefer to use Windows and the XAMPP stack on their C2 servers rather than the
traditional LAMP stack.
With this report, Lookout and the EFF are releasing more than 90 indicators of compromise
(IOC):
• 11 Android malware IOCs
• 26 desktop malware IOCs
• 60 domains, IP Addresses, and WHOIS information
The paper details: WiFi networks and SSIDs, IP addresses, the hosting providers being used,
the pseudonyms under which various services have been registered.
There are fully mature watering hole servers and phishing domains closely mimicking Facebook
and Twitter websites... and mature phishing attack campaigns aimed to lure targeted victims to
the phony spoofed sites.
Dark Caracal relies primarily on social engineering via posts on a Facebook group and WhatsApp
messages in order to compromise target systems, devices, and accounts. At a high-level, the
attackers have designed three different kinds of phishing messages, the goal of which is to
eventually drive victims to a watering hole controlled by Dark Caracal.
Surveillanceware — Mobile Capabilities Pallas — Dark Caracal’s Custom Android Samples
Using their global sensor network, Lookout researchers were able to identify 11 unique Android
surveillanceware apps. The trojanized apps retain the legitimate functionality of the apps they
spoof and behave as intended.
The apps are found predominantly in trojanized versions of well-known secure messaging apps
including:
• Signal (org.thoughtcrime.securesms)
• Threema (ch.threema.app)
• Primo (com.primo.mobile.android.app)
• WhatsApp (com.gbwhatsapp)
• Plus Messenger (org.telegram.plus)
Neither the desktop nor the mobile malware tooling use zero day vulnerabilities. They are simply
downloaded instead of the intended application and then rely upon the permissions granted at
installation to access sensitive user data.
However, there are functions to allow an attacker to instruct an infected device to download and
install additional applications or updates. This means it’s possible for the operators behind Pallas
to push specific exploit modules to compromised devices to gain additional complete access.
Desktop Screenshots - This data included full screenshots taken at regular intervals and
uploaded to adobeair[.]net.
The authors of this report write: By observing these images, it is disturbingly simple to watch a
victim go about his daily life and follow that individual every step of the way.
Quote: "Not only was Dark Caracal able to cast its net wide, it was also able to gain deep insight
into each of the victim’s lives. It did this through a series of multi-platform surveillance
campaigns that began with desktop attacks and pivoted to the mobile device. Stolen data was
found to include personal messages and photos as well as corporate and legal documentation. In
some cases, screenshots from its Windows malware painted a picture of how a particular
individual spent his evenings at home.
EFF and Lookout Uncover New Malware Espionage Campaign Infecting Thousands Around the World