Dark Caracal

Dark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. [1]

ID: G0070
Version: 1.1

Techniques Used

Domain ID Name Use
Enterprise T1223 Compiled HTML File Dark Caracal leveraged a compiled HTML file that contained a command to download and run an executable.[1]
Enterprise T1005 Data from Local System Dark Caracal collected complete contents of the 'Pictures' folder from compromised Windows systems.[1]
Enterprise T1189 Drive-by Compromise Dark Caracal leveraged a watering hole to serve up malicious code.[1]
Enterprise T1083 File and Directory Discovery Dark Caracal collected file listings of all default Windows directories.[1]
Enterprise T1027 Obfuscated Files or Information Dark Caracal has obfuscated strings in Bandook by base64 encoding, and then encrypting them.[1]
Enterprise T1060 Registry Run Keys / Startup Folder Dark Caracal's version of Bandook adds a registry key to HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run for persistence.[1]
Enterprise T1113 Screen Capture Dark Caracal took screen shots using their Windows malware.[1]
Enterprise T1064 Scripting Dark Caracal has used macros in Word documents that would download a second stage if executed.[1]
Enterprise T1045 Software Packing Dark Caracal has used UPX to pack Bandook.[1]
Enterprise T1194 Spearphishing via Service Dark Caracal spearphished victims via Facebook and Whatsapp.[1]
Enterprise T1071 Standard Application Layer Protocol Dark Caracal's version of Bandook communicates with their server over a TCP port using HTTP payloads Base64 encoded and suffixed with the string “&&&”.[1]
Enterprise T1204 User Execution Dark Caracal makes their malware look like Flash Player, Office, or PDF documents in order to entice a user to click on it.[1]
Mobile T1476 Deliver Malicious App via Other Means Dark Caracal distributes Pallas via trojanized applications hosted on watering hole websites. [1]
Mobile T1437 Standard Application Layer Protocol Dark Caracal controls implants using standard HTTP communication. [1]


ID Name References Techniques
S0234 Bandook [1] Audio Capture, Command-Line Interface, Input Capture, Process Hollowing, Screen Capture, Video Capture
S0235 CrossRAT [1] File and Directory Discovery, Launch Agent, Registry Run Keys / Startup Folder, Screen Capture
S0182 FinFisher [1] Access Call Log, Access Token Manipulation, Binary Padding, Bootkit, Bypass User Account Control, Capture SMS Messages, Commonly Used Port, Deobfuscate/Decode Files or Information, DLL Search Order Hijacking, DLL Side-Loading, Exploit OS Vulnerability, File and Directory Discovery, Hooking, Indicator Removal on Host, Location Tracking, Masquerading, Microphone or Camera Recordings, New Service, Obfuscated Files or Information, Process Discovery, Process Injection, Query Registry, Registry Run Keys / Startup Folder, Screen Capture, Security Software Discovery, Software Packing, System Information Discovery, Virtualization/Sandbox Evasion
S0399 Pallas [1] Access Call Log, Access Contact List, Access Sensitive Data or Credentials in Files, Application Discovery, Capture SMS Messages, Download New Code at Runtime, Location Tracking, Microphone or Camera Recordings, Standard Application Layer Protocol, System Information Discovery, User Interface Spoofing, Wipe Device Data