Dark Caracal

Dark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. [1]

ID: G0070
Version: 1.4
Created: 17 October 2018
Last Modified: 11 April 2024

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Dark Caracal's version of Bandook communicates with their server over a TCP port using HTTP payloads Base64 encoded and suffixed with the string "&&&".[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Dark Caracal's version of Bandook adds a registry key to HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run for persistence.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Dark Caracal has used macros in Word documents that would download a second stage if executed.[1]

Enterprise T1005 Data from Local System

Dark Caracal collected complete contents of the 'Pictures' folder from compromised Windows systems.[1]

Enterprise T1189 Drive-by Compromise

Dark Caracal leveraged a watering hole to serve up malicious code.[1]

Enterprise T1083 File and Directory Discovery

Dark Caracal collected file listings of all default Windows directories.[1]

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Dark Caracal has used UPX to pack Bandook.[1]

.013 Obfuscated Files or Information: Encrypted/Encoded File

Dark Caracal has obfuscated strings in Bandook by base64 encoding, and then encrypting them.[1]

Enterprise T1566 .003 Phishing: Spearphishing via Service

Dark Caracal spearphished victims via Facebook and Whatsapp.[1]

Enterprise T1113 Screen Capture

Dark Caracal took screenshots using their Windows malware.[1]

Enterprise T1218 .001 System Binary Proxy Execution: Compiled HTML File

Dark Caracal leveraged a compiled HTML file that contained a command to download and run an executable.[1]

Enterprise T1204 .002 User Execution: Malicious File

Dark Caracal makes their malware look like Flash Player, Office, or PDF documents in order to entice a user to click on it.[1]

Mobile T1437 .001 Application Layer Protocol: Web Protocols

Dark Caracal controls implants using standard HTTP communication.[1]

Software

ID Name References Techniques
S0234 Bandook [1][2] Audio Capture, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Python, Data from Local System, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, File and Directory Discovery, Indicator Removal: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Native API, Non-Application Layer Protocol, Obfuscated Files or Information: Steganography, Peripheral Device Discovery, Phishing: Spearphishing Attachment, Process Injection: Process Hollowing, Screen Capture, Subvert Trust Controls: Code Signing, System Information Discovery, System Network Configuration Discovery, User Execution: Malicious File, Video Capture
S0235 CrossRAT [1] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: XDG Autostart Entries, Create or Modify System Process: Launch Agent, File and Directory Discovery, Screen Capture
S0182 FinFisher [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Token Impersonation/Theft, Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Create or Modify System Process: Windows Service, Deobfuscate/Decode Files or Information, Exploitation for Privilege Escalation, File and Directory Discovery, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: DLL Side-Loading, Hijack Execution Flow: KernelCallbackTable, Indicator Removal: Clear Windows Event Logs, Input Capture: Credential API Hooking, Location Tracking, Masquerading: Match Legitimate Name or Location, Obfuscated Files or Information: Software Packing, Obfuscated Files or Information: Binary Padding, Obfuscated Files or Information, Pre-OS Boot: Bootkit, Process Discovery, Process Injection: Dynamic-link Library Injection, Protected User Data: Call Log, Protected User Data: SMS Messages, Query Registry, Screen Capture, Software Discovery: Security Software Discovery, System Information Discovery, Virtualization/Sandbox Evasion: System Checks
S0399 Pallas [1] Audio Capture, Exfiltration Over C2 Channel, Indicator Removal on Host: File Deletion, Input Capture: GUI Input Capture, Location Tracking, Obfuscated Files or Information, Protected User Data: Call Log, Protected User Data: Contact List, Protected User Data: SMS Messages, Software Discovery, Stored Application Data, System Information Discovery, System Network Connections Discovery, Video Capture

References