top of page
Search

Threat Groups Series: Dark Caracal

Dark Caracal emerged in the early 2010s and is believed by several sources to be related to the Lebanese General Directorate of General Security (GDGS).


Note: All information in this and subsequent blog posts is open-source information compiled from the sources referenced at the bottom of the page. None of this information is derived from paid or private sources.


Targets

Dark Caracal has been observed targeting members of the groups listed below:

  • Government officials

  • Financial officials

  • Journalists

  • Healthcare professionals

  • Defense contractors

  • Legal institutions

It has targeted the aforementioned individuals/sectors in at least 21 countries.


Pallas surveillanceware

Lookout discovered and analyzed Pallas, which is considered to be custom-developed mobile surveillanceware, in May 2017.


Pallas is developed to target Android mobile phones and has the ability to capture audio, video, and input, track location, access contact lists, access a list of all applications on the device, and delete files. This implant is delivered via trojanized Android apps.



Bandook trojan


One of the primary signatures of the Dark Caracal threat group is their use of the Bandook trojan... -EFF

The Bandook trojan is a RAT that sends information about the infected endpoint and awaits additional commands from the C2 server. It typically arrives to the end user via a phishing campaign and infected Microsoft Office document.


References

https://attack.mitre.org/software/S0399/

https://attack.mitre.org/groups/G0070/

https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf

https://www.eff.org/deeplinks/2020/12/dark-caracal-you-missed-spot

https://threatpost.com/digitally-signed-bandook-trojan-spy-campaign/161676/


54 views0 comments
bottom of page