Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

Dark Caracal

Dark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. [1]

ID: G0070
Aliases: Dark Caracal
Version: 1.0

Alias Descriptions

NameDescription
Dark Caracal[1]

Techniques Used

DomainIDNameUse
EnterpriseT1223Compiled HTML FileDark Caracal leveraged a compiled HTML file that contained a command to download and run an executable.[1]
EnterpriseT1005Data from Local SystemDark Caracal collected complete contents of the 'Pictures' folder from compromised Windows systems.[1]
EnterpriseT1189Drive-by CompromiseDark Caracal leveraged a watering hole to serve up malicious code.[1]
EnterpriseT1083File and Directory DiscoveryDark Caracal collected file listings of all default Windows directories.[1]
EnterpriseT1027Obfuscated Files or InformationDark Caracal has obfuscated strings in Bandook by base64 encoding, and then encrypting them.[1]
EnterpriseT1060Registry Run Keys / Startup FolderDark Caracal's version of Bandook adds a registry key to HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run for persistence.[1]
EnterpriseT1113Screen CaptureDark Caracal took screen shots using their Windows malware.[1]
EnterpriseT1064ScriptingDark Caracal has used macros in Word documents that would download a second stage if executed.[1]
EnterpriseT1045Software PackingDark Caracal has used UPX to pack Bandook[1]
EnterpriseT1194Spearphishing via ServiceDark Caracal spearphished victims via Facebook and Whatsapp.[1]
EnterpriseT1071Standard Application Layer ProtocolDark Caracal's version of Bandook communicates with their server over a TCP port using HTTP payloads Base64 encoded and suffixed with the string “&&&”[1]
EnterpriseT1204User ExecutionDark Caracal makes their malware look like Flash Player, Office, or PDF documents in order to entice a user to click on it.[1]

Software

IDNameTechniques
S0234BandookAudio Capture, Command-Line Interface, Input Capture, Process Hollowing, Screen Capture, Video Capture
S0235CrossRATFile and Directory Discovery, Launch Agent, Registry Run Keys / Startup Folder, Screen Capture
S0182FinFisherAccess Token Manipulation, Binary Padding, Bootkit, Bypass User Account Control, Deobfuscate/Decode Files or Information, DLL Search Order Hijacking, DLL Side-Loading, File and Directory Discovery, Hooking, Indicator Removal on Host, Masquerading, New Service, Obfuscated Files or Information, Process Discovery, Process Injection, Query Registry, Registry Run Keys / Startup Folder, Screen Capture, Security Software Discovery, Software Packing, System Information Discovery

References