Dark Caracal

Dark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. ^[1]

ID: G0070

Version: 1.3

Created: 17 October 2018

Last Modified: 11 October 2021

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	Dark Caracal's version of Bandook communicates with their server over a TCP port using HTTP payloads Base64 encoded and suffixed with the string "&&&".^[1]
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Dark Caracal's version of Bandook adds a registry key to `HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run` for persistence.^[1]
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	Dark Caracal has used macros in Word documents that would download a second stage if executed.^[1]
Enterprise	T1005		Data from Local System	Dark Caracal collected complete contents of the 'Pictures' folder from compromised Windows systems.^[1]
Enterprise	T1189		Drive-by Compromise	Dark Caracal leveraged a watering hole to serve up malicious code.^[1]
Enterprise	T1083		File and Directory Discovery	Dark Caracal collected file listings of all default Windows directories.^[1]
Enterprise	T1027		Obfuscated Files or Information	Dark Caracal has obfuscated strings in Bandook by base64 encoding, and then encrypting them.^[1]
		.002	Software Packing	Dark Caracal has used UPX to pack Bandook.^[1]
Enterprise	T1566	.003	Phishing: Spearphishing via Service	Dark Caracal spearphished victims via Facebook and Whatsapp.^[1]
Enterprise	T1113		Screen Capture	Dark Caracal took screenshots using their Windows malware.^[1]
Enterprise	T1218	.001	Signed Binary Proxy Execution: Compiled HTML File	Dark Caracal leveraged a compiled HTML file that contained a command to download and run an executable.^[1]
Enterprise	T1204	.002	User Execution: Malicious File	Dark Caracal makes their malware look like Flash Player, Office, or PDF documents in order to entice a user to click on it.^[1]
Mobile	T1476		Deliver Malicious App via Other Means	Dark Caracal distributes Pallas via trojanized applications hosted on watering hole websites.^[1]
Mobile	T1437		Standard Application Layer Protocol	Dark Caracal controls implants using standard HTTP communication.^[1]

Software

ID	Name	References	Techniques
S0234	Bandook	^[1]^[2]	Audio Capture, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Data from Local System, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, File and Directory Discovery, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Native API, Non-Application Layer Protocol, Obfuscated Files or Information: Steganography, Peripheral Device Discovery, Phishing: Spearphishing Attachment, Process Injection: Process Hollowing, Screen Capture, Subvert Trust Controls: Code Signing, System Information Discovery, System Network Configuration Discovery, User Execution: Malicious File, Video Capture
S0235	CrossRAT	^[1]	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Create or Modify System Process: Launch Agent, File and Directory Discovery, Screen Capture
S0182	FinFisher	^[1]	Abuse Elevation Control Mechanism: Bypass User Account Control, Access Call Log, Access Token Manipulation: Token Impersonation/Theft, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Capture Audio, Capture SMS Messages, Commonly Used Port, Create or Modify System Process: Windows Service, Deobfuscate/Decode Files or Information, Exploit OS Vulnerability, File and Directory Discovery, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: DLL Side-Loading, Indicator Removal on Host: Clear Windows Event Logs, Input Capture: Credential API Hooking, Location Tracking, Masquerading: Match Legitimate Name or Location, Obfuscated Files or Information, Obfuscated Files or Information: Binary Padding, Obfuscated Files or Information: Software Packing, Pre-OS Boot: Bootkit, Process Discovery, Process Injection: Dynamic-link Library Injection, Query Registry, Screen Capture, Software Discovery: Security Software Discovery, System Information Discovery, Virtualization/Sandbox Evasion: System Checks
S0399	Pallas	^[1]	Access Call Log, Access Contact List, Access Stored Application Data, Application Discovery, Capture Audio, Capture Camera, Capture SMS Messages, Delete Device Data, Deliver Malicious App via Other Means, Input Prompt, Location Tracking, Network Information Discovery, Obfuscated Files or Information, Standard Application Layer Protocol, System Information Discovery

References

Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.

Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.