Threat Groups Series: Dark Caracal
Dark Caracal emerged in the early 2010s and is believed by several sources to be related to the Lebanese General Directorate of General Security (GDGS).
Note: All information in this and subsequent blog posts is open-source information compiled from the sources referenced at the bottom of the page. None of this information is derived from paid or private sources.
Targets
Dark Caracal has been observed targeting members of the groups listed below:
Government officials
Financial officials
Journalists
Healthcare professionals
Defense contractors
Legal institutions
It has targeted the aforementioned individuals/sectors in at least 21 countries.
Pallas surveillanceware
Lookout discovered and analyzed Pallas, which is considered to be custom-developed mobile surveillanceware, in May 2017.
Pallas is developed to target Android mobile phones and has the ability to capture audio, video, and input, track location, access contact lists, access a list of all applications on the device, and delete files. This implant is delivered via trojanized Android apps.
Bandook trojan
One of the primary signatures of the Dark Caracal threat group is their use of the Bandook trojan... -EFF
The Bandook trojan is a RAT that sends information about the infected endpoint and awaits additional commands from the C2 server. It typically arrives to the end user via a phishing campaign and infected Microsoft Office document.
References
https://attack.mitre.org/software/S0399/
https://attack.mitre.org/groups/G0070/
https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf
https://www.eff.org/deeplinks/2020/12/dark-caracal-you-missed-spot
https://threatpost.com/digitally-signed-bandook-trojan-spy-campaign/161676/