Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Dark Caracal Targets Android Devices in Global Cyber-Espionage Campaign

    By
    Sean Michael Kerner
    -
    January 18, 2018
    Share
    Facebook
    Twitter
    Linkedin
      Dark Caracal

      A nation-state backed cyber-espionage campaign known as Dark Caracal that has been operational since 2012 has extracted hundreds of gigabytes of data from victims around the world, according the Electronic Frontier Foundation and security firm Lookout.

      A 51-page report that the EFF and Lookout released on Jan. 18 details the global operations of Dark Caracal, which allegedly are being conducted out of an office building operated by the Lebanese General Directorate of General Security (GDGS) in Beirut.

      “We are aware of thousands of victims in 21 countries, but because we only gained insight into a small percentage of their operations, we believe there are likely many more,” Michael Flossman, security research services tech lead at Lookout, told eWEEK. “Victims identified thus far have included members of the military, government officials, medical practitioners, education professionals, academics, civilians from numerous other fields and commercial enterprises.”

      There are several reasons why Dark Caracal remained largely unknown and unreported for the past six years. Flossman noted that previous reports have attributed Dark Caracal actors, infrastructure and campaigns to nation-state actors such as Russia (Fancy Bear/APT 28), as well as to the security company Appin or various cybercrime groups.

      “Their varied tactics, using multiple types of malware with overlapping infrastructure on various platforms, helped to create misattributions,” Flossman said. “It is also only relatively recently that we’ve seen Dark Caracal start to expand its capability into the mobile space.”  

      The researchers discovered that Dark Caracal uses the Pallas mobile malware that targets Android devices. Pallas doesn’t make use of any new zero-day or unpatched vulnerabilities in Android, according to Flossman. In addition, the Pallas malware doesn’t require root access to operate.

      “Pallas samples primarily rely on the permissions granted at installation in order to access sensitive user data, and we found no attacker infrastructure containing rooting packages,” he said. 

      Flossman added that Pallas, much like the Pegasus surveillance tool Lookout helped to uncover in August 2016, does not rely on any advanced exploitation capabilities.

      “Those responsible for defending corporate networks should consider that defensive measures purely focused on zero days may provide insufficient protection,” he said.

      Dark Caracal is not currently employing any tools that directly attack iOS devices as the attacks against Android have been very successful. Using Android malware, Dark Caracal has been able to steal 264,535 files from victims around the world. In addition, Dark Caracal intercepted 486,766 text messages by using the Pallas mobile malware. 

      Beyond the mobile malware, Dark Caracal also uses an attack tool called CrossRAT to target Windows and macOS systems. CrossRAT enables the Dark Caracal attackers to grab desktop screenshots as well as exfiltrate documents.

      Researcher Collaboration

      The EFF and Lookout worked together to uncover Dark Caracal’s operations, with each group having its own area of focus. The EFF looked at the desktop components, while Lookout focused on the mobile elements. Both groups worked on the attribution and infrastructure pieces of Dark Caracal. 

      “To speed up this process, we made use of a shared machine that researchers from both organizations could connect to for analysis of stolen data and infrastructure metadata,” Flossman said. 

      The team of researchers from the EFF and Lookout used multiple tools to help conduct the investigation. Among the tools was the Maltego forensics application, which was used for infrastructure, threat actor and entity mapping. Flossman said the researchers also used the open-source log2timeline project in combination with the Kibana open-source visualization tool for analysis of stolen data. 

      In addition, several custom tools were developed specifically for the Dark Caracal investigation, he said. One such tool is an image parsing and text extraction application that utilizes the open-source TensorFlow machine learning technology to rapidly process and identify images that contain keywords of interest.

      “This was one of the ways we found images of phishing content being sent to targets,” Flossman said.

      Although Dark Caracal is based out Lebanon, Flossman emphasized that victims were found all over the world, including the United States and Canada.

      “This is absolutely something that should be concerning to end users in North America, particularly if they are otherwise considered to be a potential target for nation-state cyber-espionage,” he said. “This investigation really highlights an increasing trend of low sophistication actors shifting to target mobile devices and having considerable success in the process.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Careers

      SThree’s Sunny Ackerman on Tech Hiring Trends

      James Maguire - June 9, 2022 0
      I spoke with Sunny Ackerman, President/Americas for tech recruiter SThree, about the tight labor market in the tech sector, and much needed efforts to...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×