Dark Caracal Targets Android Devices in Global Cyber-Espionage Campaign

Researchers from Lookout and the Electronic Frontier Foundation discover an attack group operating out of Lebanon that has already impacted 21 countries.

Dark Caracal

A nation-state backed cyber-espionage campaign known as Dark Caracal that has been operational since 2012 has extracted hundreds of gigabytes of data from victims around the world, according the Electronic Frontier Foundation and security firm Lookout.

A 51-page report that the EFF and Lookout released on Jan. 18 details the global operations of Dark Caracal, which allegedly are being conducted out of an office building operated by the Lebanese General Directorate of General Security (GDGS) in Beirut.

"We are aware of thousands of victims in 21 countries, but because we only gained insight into a small percentage of their operations, we believe there are likely many more," Michael Flossman, security research services tech lead at Lookout, told eWEEK. "Victims identified thus far have included members of the military, government officials, medical practitioners, education professionals, academics, civilians from numerous other fields and commercial enterprises."

There are several reasons why Dark Caracal remained largely unknown and unreported for the past six years. Flossman noted that previous reports have attributed Dark Caracal actors, infrastructure and campaigns to nation-state actors such as Russia (Fancy Bear/APT 28), as well as to the security company Appin or various cybercrime groups.

"Their varied tactics, using multiple types of malware with overlapping infrastructure on various platforms, helped to create misattributions," Flossman said. "It is also only relatively recently that we've seen Dark Caracal start to expand its capability into the mobile space."  

The researchers discovered that Dark Caracal uses the Pallas mobile malware that targets Android devices. Pallas doesn't make use of any new zero-day or unpatched vulnerabilities in Android, according to Flossman. In addition, the Pallas malware doesn't require root access to operate.

"Pallas samples primarily rely on the permissions granted at installation in order to access sensitive user data, and we found no attacker infrastructure containing rooting packages," he said. 

Flossman added that Pallas, much like the Pegasus surveillance tool Lookout helped to uncover in August 2016, does not rely on any advanced exploitation capabilities.

"Those responsible for defending corporate networks should consider that defensive measures purely focused on zero days may provide insufficient protection," he said.

Dark Caracal is not currently employing any tools that directly attack iOS devices as the attacks against Android have been very successful. Using Android malware, Dark Caracal has been able to steal 264,535 files from victims around the world. In addition, Dark Caracal intercepted 486,766 text messages by using the Pallas mobile malware. 

Beyond the mobile malware, Dark Caracal also uses an attack tool called CrossRAT to target Windows and macOS systems. CrossRAT enables the Dark Caracal attackers to grab desktop screenshots as well as exfiltrate documents.

Researcher Collaboration

The EFF and Lookout worked together to uncover Dark Caracal's operations, with each group having its own area of focus. The EFF looked at the desktop components, while Lookout focused on the mobile elements. Both groups worked on the attribution and infrastructure pieces of Dark Caracal. 

"To speed up this process, we made use of a shared machine that researchers from both organizations could connect to for analysis of stolen data and infrastructure metadata," Flossman said. 

The team of researchers from the EFF and Lookout used multiple tools to help conduct the investigation. Among the tools was the Maltego forensics application, which was used for infrastructure, threat actor and entity mapping. Flossman said the researchers also used the open-source log2timeline project in combination with the Kibana open-source visualization tool for analysis of stolen data. 

In addition, several custom tools were developed specifically for the Dark Caracal investigation, he said. One such tool is an image parsing and text extraction application that utilizes the open-source TensorFlow machine learning technology to rapidly process and identify images that contain keywords of interest.

"This was one of the ways we found images of phishing content being sent to targets," Flossman said.

Although Dark Caracal is based out Lebanon, Flossman emphasized that victims were found all over the world, including the United States and Canada.

"This is absolutely something that should be concerning to end users in North America, particularly if they are otherwise considered to be a potential target for nation-state cyber-espionage," he said. "This investigation really highlights an increasing trend of low sophistication actors shifting to target mobile devices and having considerable success in the process."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.