JUST RELEASED: ATT&CK for Industrial Control Systems

Dark Caracal

Dark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. [1]

ID: G0070
Version: 1.1
Created: 17 October 2018
Last Modified: 16 July 2019

Techniques Used

Domain ID Name Use
Enterprise T1223 Compiled HTML File

Dark Caracal leveraged a compiled HTML file that contained a command to download and run an executable.[1]

Enterprise T1005 Data from Local System

Dark Caracal collected complete contents of the 'Pictures' folder from compromised Windows systems.[1]

Enterprise T1189 Drive-by Compromise

Dark Caracal leveraged a watering hole to serve up malicious code.[1]

Enterprise T1083 File and Directory Discovery

Dark Caracal collected file listings of all default Windows directories.[1]

Enterprise T1027 Obfuscated Files or Information

Dark Caracal has obfuscated strings in Bandook by base64 encoding, and then encrypting them.[1]

Enterprise T1060 Registry Run Keys / Startup Folder

Dark Caracal's version of Bandook adds a registry key to HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run for persistence.[1]

Enterprise T1113 Screen Capture

Dark Caracal took screen shots using their Windows malware.[1]

Enterprise T1064 Scripting

Dark Caracal has used macros in Word documents that would download a second stage if executed.[1]

Enterprise T1045 Software Packing

Dark Caracal has used UPX to pack Bandook.[1]

Enterprise T1194 Spearphishing via Service

Dark Caracal spearphished victims via Facebook and Whatsapp.[1]

Enterprise T1071 Standard Application Layer Protocol

Dark Caracal's version of Bandook communicates with their server over a TCP port using HTTP payloads Base64 encoded and suffixed with the string "&&&".[1]

Enterprise T1204 User Execution

Dark Caracal makes their malware look like Flash Player, Office, or PDF documents in order to entice a user to click on it.[1]

Mobile T1476 Deliver Malicious App via Other Means

Dark Caracal distributes Pallas via trojanized applications hosted on watering hole websites. [1]

Mobile T1437 Standard Application Layer Protocol

Dark Caracal controls implants using standard HTTP communication. [1]


ID Name References Techniques
S0234 Bandook [1] Audio Capture, Command-Line Interface, Input Capture, Process Hollowing, Screen Capture, Video Capture
S0235 CrossRAT [1] File and Directory Discovery, Launch Agent, Registry Run Keys / Startup Folder, Screen Capture
S0182 FinFisher [1] Access Call Log, Access Token Manipulation, Binary Padding, Bootkit, Bypass User Account Control, Capture Audio, Capture SMS Messages, Commonly Used Port, Deobfuscate/Decode Files or Information, DLL Search Order Hijacking, DLL Side-Loading, Exploit OS Vulnerability, File and Directory Discovery, Hooking, Indicator Removal on Host, Location Tracking, Masquerading, New Service, Obfuscated Files or Information, Process Discovery, Process Injection, Query Registry, Registry Run Keys / Startup Folder, Screen Capture, Security Software Discovery, Software Packing, System Information Discovery, Virtualization/Sandbox Evasion
S0399 Pallas [1] Access Call Log, Access Contact List, Access Stored Application Data, Application Discovery, Capture Audio, Capture Camera, Capture SMS Messages, Delete Device Data, Deliver Malicious App via Other Means, Input Prompt, Location Tracking, Network Information Discovery, Obfuscated Files or Information, Standard Application Layer Protocol, System Information Discovery