CyberWisdom Safe Harbor Commentary on Dark Caracal
On January 18, EFF and Lookout published an 51-page report detailing the global operations of Dark Caracal, which is said to be operating at the Office of the Lebanese General Security Agency (GDGS) in Beirut Outside.
Cyber Espionage by Dark Caracal
The cyber espionage belonging to the Lebanese Directorate General of Security displays a series of invisible hacking activities that for the past six years have aimed at stealing text messages, call records and files from journalists, military personnel, companies and other destinations in 21 countries world.
New NACs continue to improve their offensive cyber capabilities and almost any country-backed organization can conduct extensive multiplatform cyber espionage.
This finding confirms that the barriers to entry in the cyberwar arena continue to Reduce and new players become more dangerous. The news was reported by security firm Lookout and the digital rights group Electronic Frontier Foundation in a detailed joint report.
The APT group was tracked as Dark Caracal by the researchers, its campaigns leverage a custom Android malware included in fake versions of secure messaging apps like Signal and WhatsApp.
“Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal2, a persistent and prolific actor, who at the time of writing is believed to be administered out of a building belonging to the Lebanese General Security Directorate in Beirut. At present, we have knowledge of hundreds of gigabytes of exfiltrated data, in 21+ countries, across thousands of victims.
Stolen data includes enterprise intellectual property and personally identifiable information.” states the report.
“We are aware of thousands of victims in 21 countries, but because we only gained insight into a small percentage of their operations, we believe there are likely many more,” Michael Flossman, security research services tech lead at Lookout, told eWEEK. “Victims identified thus far have included members of the military, government officials, medical practitioners, education professionals, academics, civilians from numerous other fields and commercial enterprises.”
The investigation comes from a previous Operation Manul report, by the Forces armées in the Manuel operation, which revealed similar espionage activities similar to those against journalists, dissidents and other critics of President Nazarbayeh of Kazakhstan.
There are several reasons why Black Caracal most of the past six years are unknown and have not been reported. According to Flossman, previous reports attributed Black Caracas’s participants, infrastructure and campaigns to state actors such as Russia (Fancy Bear/APT 28), as well as security firm Appin or various cybercrime groups.
“Their varied tactics, using multiple types of malware with overlapping infrastructure on various platforms, helped to create misattributions,” Flossman said. “It is also only relatively recently that we’ve seen Dark Caracal start to expand its capability into the mobile space.”
Dark Caracal’s attack chain capability
The attack chain implemented by Dark Caracal relies primarily on social engineering, the hackers used messages sent to the victims via Facebook group and WhatsApp messages. At a high-level, the hackers have designed three different kinds of phishing messages to trick victims into visiting a compromised website, a typical watering hole attack.
The malicious app could exfiltrate text messages, including two-factor authentication codes, and other data from the victim’s device. Dark Caracal malware is also able to use devices cameras and the microphone to spy on the victims.
Unfortunately, the APT team also used another powerful monitoring software in its activities, malware, a formidable FinFisher, a type of spyware that is often sold to law enforcement and government agencies.
Researchers from Lookout and EFF discovered some of the test equipment that appears to be located at the Lebanese Security Directorate in Beirut, suggesting that the dark Caracal APT is related to the government,
“Devices for testing and operating the campaign were traced back to a building belonging to the Lebanese General Directorate of General Security (GDGS), one of Lebanon’s intelligence agencies. Based on the available evidence, it is likely that the GDGS is associated with or directly supporting the actors behind Dark Caracal. ” continues the report.
Dark Caracal also has a Windows malware in its arsenal, the malicious code was able to collect screenshots and files from the infected PCs.
Lookout and EFF launched a survey in July 2017, where researchers were able to determine the command and control infrastructure and determine that the dark Caracal hacker is running six unique campaigns. Some hacking activities have for many years been targeting a number of goals in many countries, including China, the United States, India, and Russia.
“Since we first gained visibility into attacker infrastructure in July 2017, we have seen millions of requests being made to it from infected devices. This demonstrates that Dark Caracal is likely running upwards of six distinct campaigns in parallel, some of which have been operational since January 2012. Dark Caracal targets a broad range of victims.” states the analysis. “Thus far, we have identified members of the military, government officials, medical practitioners, education professionals, academics, civilians from numerous other fields, and commercial enterprises as targets.”
Further details are provided in the technical report that includes more than 90 indicators of compromise
Malicious software used by Dark Caracal
Attackers track information on target Android devices and Windows PCs: SMS, call history, contacts, account information, WhatsApp, Telegram and Skype databases, files, legal and company files, photos, voice recordings, iPhone backups, and more.
They have dubbed the threat Dark Caracal, and have traced its activities to as far back as 2012.
The malware used to leak data from Android devices is what researchers call “Pallas” and uses Trojan messaging applications (Signal, WhatsApp, Threema, Primo, Plus Messanger), security/privacy applications (Psiphon VPN, Orbot : TOR Proxy) or other applications (Adobe Flash, Google Play Push).
These applications retain legal functionality and therefore are not suspicious, but they can also listen to users (activate the microphone, take a photo) and retrieve information.
Malware designed to harm Windows machines and monitor user activity includes Bandook RAT (signed with a valid SSL certificate) and CrossRAT (a new remote-access Trojan developed by Dark Caracal that can also harm Linux and OS X
Three types of phishing messages
Dark Caracal Hackers rely on three types of phishing messages, Facebook group posts and WhatsApp messages. Each design is designed to lure the flowing victims into a puddle. Malware Pallas is then distributed via Trojan-based applications like WhatsApp, Signal and Tor related apps. The researchers found that in addition to the behavior of their malicious activity application should have full functionality. An attacker accesses private data by using the user rights granted when installing the application.
Researchers found that Dark Caracal uses Pallas mobile malware for Android devices. According to Flossman, Pallas did not use any new zero-day or uninstalled Android vulnerabilities. In addition, Pallas Malware does not require root privileges to operate.
He said: “The Pallas sample mainly relies on the permissions granted during installation to access sensitive user data, and we did not find any attacker infrastructure containing rooting packages.
Flossman added that Pallas, like the Pegasus monitoring tool that Lookout helped to discover in August 2016, does not rely on any advanced development capabilities.
He said: “Those responsible for maintaining the corporate network should think that purely zero-day defensive measures may provide inadequate protection.”
Dark Caracal currently does not use any tools that attack iOS devices directly, as the attack on Android has been very successful. With Android malware, the dark Caracal has been able to steal 264,535 files from victims around the world. In addition, Black Caracal intercepted 486,766 messages using Pallas mobile malware.
In addition to moving malware, Dark Caracal also uses a tool called CrossRAT to lock Windows and MacOS systems. CrossRAT enables dark Caracal attackers to grab desktop snapshots and infiltrate files.
EFF and Lookout together opened the dark Caracal’s action, each group has its own areas of focus. EFF looks at desktop components, and Lookout focuses on moving elements. Both groups studied the ownership and infrastructure of Dark Caracal.
Flossman said: “To speed up the process, we used a shared machine where researchers from both organizations could connect to analyze stolen data and infrastructure metadata.
Research teams from EFF and Lookout use a variety of tools to help investigate. Among the tools are Maltego forensic applications for infrastructure, threat actors, and entity mapping. Flossman said the researchers also used the open source log2timeline project with the Kibana open-source visualization tool to analyze stolen data.
In addition, he said, custom tools have been specially developed for the dark Caracal survey. One such tool is image parsing and text extraction applications that utilize the open source TensorFlow machine learning technology to quickly process and identify images containing keywords of interest.
Flossman said: “This is one of the ways we found phishing content to be sent to the target.
Although Dark Caracal is based in Lebanon, Flossman emphasizes finding victims throughout the world, including the United States and Canada.
“This is definitely something that end-users in North America should be concerned about, especially if they are considered potential targets of cyber espionage in the country.” The survey did highlight the shift of lower-level and complex actors to targeting mobile devices and in the process Achieved a considerable success trend. ”
Dark Caracal APT – Lebanese intelligence is spying on targets for years
A new long-running player emerged in the cyber arena, it is the Dark Caracal APT, a hacking crew associated with to the Lebanese General Directorate of General Security that already conducted many stealth hacking campaigns. Cyber spies belonging to Lebanese General Directorate of General Security are behind a number of stealth hacking campaigns that in… Dark Caracal APT – Lebanese intelligence is spying on targets for years
thumbnail courtesy of eweek.com
Threatpost also reported this read more…
Sprawling Mobile Espionage Campaign Targets Android Devices
A massive mobile espionage campaign has been collecting troves of sensitive personal information since 2012, according to a new report from the Electronic Frontier Foundation and security firm Lookout…. Sprawling Mobile Espionage Campaign Targets Android Devices
The attackers went after information stored on targets’ Android devices Read more…
Researchers uncover mobile, PC surveillance platform tied to different nation-state actors
The Electronic Frontier Foundation (EFF) and mobile security company Lookout have uncovered a new malware espionage campaign that has targeted activists, journalists, lawyers, military personnel, and enterprises in more than 20 countries in North America, Europe, the Middle East, and Asia. They have dubbed the threat Dark Caracal, and have traced its activities to as far back as 2012. The malware used by Dark Caracal The attackers went after information stored on targets’ Android devices … More →… Researchers uncover mobile, PC surveillance platform tied to different nation-state actors
If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post »