Lebanon Spyware Uncovered, Steals Data through Fake Messaging Apps

Dark Caracal

Researchers from non-profit campaign group ElectronicFrontier Foundation (EFF) and mobile security group Lookout have together uncovered malware that targets individuals such as military personnel, journalists, lawyers, and activists, using fake apps that look like popular messaging apps like WhatsApp and Signal.

The malware, dubbed “Dark Caracal” by the researchers, targets known Android weaknesses and iOS has not been affected by it.

According to their report on Dark Caracal (See BeLow), the malware was traced back to a server in a Lebanese government building — a building belonging to the Lebanese General Security Directorate in Beirut, Lebanon — and seems like the threat could be coming from a nation-state.

“We have identified hundreds of gigabytes of data exfiltrated from thousands of victims, spanning 21+ countries in North America, Europe, the Middle East, and Asia,” the report read.

“This is a very large, global campaign, focused on mobile devices. Mobile is the future of spying because phones are full of so much data about a person’s day-to-day life,” said EFF Director of Cybersecurity Eva Galperin.

Data stolen through the spyware includes documents, call records, audio recordings, secure messaging client content, contact information, text messages, photos, and account data.

According to EFF, WhatsApp or Signal have not been compromised, and Google has confirmed that the infected apps were not downloaded from its Play Store. Instead, the attackers use “spearphishing” to get these fake apps on targets’ phones, which is a phishing attack that specifically targets an individual using information the attacker has on the victim.

“All Dark Caracal needed was application permissions that users themselves granted when they downloaded the apps, not realizing that they contained malware,” said EFF Staff Technologist Cooper Quintin.

Dark Caracal has reportedly been operating since 2012 but has been unable to track down because of the number of similar attacks happening all over the world that have repeatedly been misattributed to other cybercrime groups. 

This research has shed light on how governments and people are able to spy on individuals all over the world. 

Executive Summary

As the modern threat landscape has evolved, so have the actors. The barrier to entry for cyber-warfare has continued to decrease, which means new nation states — previously without significant offensive capabilities— are now able to build and deploy widespread multi-platform cyber-espionage campaigns.

This report uncovers a prolific actor with nation-state level advanced persistent threat (APT) capabilities, who is exploiting targets globally across multiple platforms. The actor has been observed making use of desktop tooling, but has prioritized mobile devices as the primary attack vector. This is one of the first publicly documented mobile APT actors known to execute espionage on a global scale.

Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal, a persistent and prolific actor, who at the time of writing is believed to be administered out of a building belonging to the Lebanese General Security Directorate in Beirut.

At present, we have knowledge of hundreds of gigabytes of exfiltrated data, in 21+ countries, across thousands of victims. Stolen data includes enterprise intellectual property and personally identifiable information. We are releasing more than 90 indicators of compromise (IOC) associated with Dark Caracal including 11 different Android malware IOCs; 26 desktop malware IOCs across Windows, Mac, and Linux; and 60 domain/IP based IOCs.

Dark Caracal targets include individuals and entities that a nation state might typically attack, including governments, military targets, utilities, financial institutions, manufacturing companies, and defense contractors. We specifically uncovered data associated with military personnel, enterprises, medical professionals, activists, journalists, lawyers, and educational institutions during this investigation. Types of data include documents, call records, audio recordings, secure messaging client content, contact information, text messages, photos, and account data.

The joint Lookout-EFF investigation began after EFF released its Operation Manul report, highlighting a multi-platform espionage campaign targeted at journalists, activists, lawyers, and dissidents who were critical of President Nursultan Nazarbayev’s regimein Kazakhstan.

The report describes malware and tactics targeting desktop machines, with references to a possible Android component.

After investigating related infrastructure and connections to Operation Manul, the team concluded that the same infrastructure is likely shared by multiple actors and is being used in a new set of campaigns.

The diversity of seemingly unrelated campaigns that have been carried out from this infrastructure suggests it is being used simultaneously by multiple groups. Operation Manul clearly targeted persons of interest to Kazakhstan, while Dark Caracal has given no indication of an interest in these targets or their associates. This suggests that Dark Caracal either uses or manages the infrastructure found to be hosting a number of widespread, global cyber-espionage campaigns.

Since 2007, Lookout has investigated and tracked mobile security events across hundreds of millions of devices around the world.

This mobile espionage campaign is one of the most prolific we have seen to date. Additionally, we have reason to believe the activity Lookout and EFF have directly observed represents only a small fraction of the cyber-espionage that has been conducted using this infrastructure.


Key Findings

  • Our research shows that Dark Caracal may be administering its tooling out of the headquarters of the General Directorate of General Security (GDGS) in Beirut, Lebanon.
  • The GDGS gathers intelligence for national security purposes and

for its offensive cyber capabilities according to previous reports.

  • We have identified four Dark Caracal personas with overlapping TTP (tools, techniques, and procedures).
  • Dark Caracal is using the same infrastructure as was previously seen in the Operation Manul campaign, which targeted journalists, lawyers, and dissidents critical of the government of Kazakhstan.
  • Dark Caracal has been conducting a multi-platform, APT-leve surveillance operation targeting individuals and institutions globally.
  • Dark Caracal has successfully run numerous campaigns in parallel and we know that the data we have observed is only a small fraction of the total activity.
  • We have identified hundreds of gigabytes of data exfiltrated from thousands of victims, spanning 21+ countries in North America, Europe, the Middle East, and Asia.
  • The mobile component of this APT is one of the first we’ve seen executing espionage on a global scale.
  • Analysis shows Dark Caracal successfully compromised the devices of military personnel, enterprises, medical professionals, activists, journalists, lawyers, and educational institutions.
  • Dark Caracal targets also include governments, militaries, utilities, financial institutions, manufacturing companies, and defense contractors.
  • Types of exfiltrated data include documents, call records, audio recordings, secure messaging client content, contact information, text messages, photos, and account data.
  • Dark Caracal follows the typical attack chain for cyber-espionage.

They rely primarily on social media, phishing, and in some cases physical access to compromise target systems, devices, and accounts.

  • Dark Caracal uses tools across mobile and desktop platforms.
  • Dark Caracal uses mobile as a primary attack platform.
  • Dark Caracal purchases or borrows mobile and desktop tools from actors on the dark web.
  • Lookout discovered Dark Caracal’s custom-developed mobile surveillanceware (that we call Pallas) in May 2017. Pallas is found in trojanized Android apps.
  • Dark Caracal has also used FinFisher, a tool created by a “lawful intercept” company that is regularly abused by other nation-state actors.
  • Dark Caracal makes extensive use of Windows malware called Bandook RAT. Dark Caracal also uses a previously unknown, multi- platform tool that Lookout and EFF have named CrossRAT, which is able to target Windows, OSX, and Linux.
  • Dark Caracal uses a constantly evolving, global infrastructure.
  • Lookout and EFF researchers have identified parts of Dark

Caracal’s infrastructure, providing us with unique insight into its global operations.

  • The infrastructure operators prefer to use Windows and XAMPP software on their C2 servers rather than a traditional LAMP stack, which provides a unique fingerprint when searching for related infrastructure.
  • Lookout and EFF have identified infrastructure shared by Operation Manul and Dark Caracal as well as other actors.
  • Attributing Dark Caracal was difficult as the actor employs multiple types of malware, and our analysis suggests the infrastructure is also being used by other groups.

Lookout and EFF are releasing more than 90 indicators of compromise (IOC):

  • 11 Android malware IOCs
  • 26 desktop malware IOCs
  • 60 domains, IP Addresses, and WHOIS information

Read Full Study Lookout_Dark-Caracal_srr_20180118_us_v.1.0


Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar
has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets
using various attack techniques, and specifically, a custom-made malware implant codenamed.
This report provides an extended technical analysis of Volatile Cedar and the
Explosive malware.
Malware attribution is often tricky and deception-prone. With that in mind, investigation of the evidence leads us to suspect Volatile Cedar originates from Lebanon (hence its nickname). Moreover, the. Volatile Cedar target vertical distribution strongly aligns with
nation-state/political-group interests, eliminating the possibility of financially motivated attackers.There is clear evidence that Volatile Cedar has been active for almost 3 years. While many of the technical aspects of the threat are not considered “cutting edge”, the campaign has been continually and successfully operational throughout this entire timeline, evading detection by the majority of AV products. This success is due to a well planned and carefully managed operation that constantly monitors its victims’ actions and rapidly responds to detection incidents.
Volatile Cedar is heavily based on a custom-made remote access Trojan named Explosives which is implanted within its targets and then used to harvest information. Tracking down these infections was quite a difficult task due to the multiple concealment measures taken by the attackers. The attackers select only a handful of targets to avoid unnecessary exposure.
New and custom versions are developed, compiled and deployed specifically for certain targets, and ”radio silence” periods are configured and embedded specificaly into each targeted implant.
The modus operandi for this attacker group initially targets publicly facing web servers, with both automatic and manual valnurability discovery. Once in control of a server, the attackers further penetrate the targeted internal network via various means, including
manual online hacking as well as an automated USB infection mechanism.
We will discuss the attack vectors and infection techniques used by the attack campaign as well as provide indicators that can be used to detect and remove the infection.
 Evidence shows that the Explosive Trojan leverages its key logging capabilities to gain access to administrator passwords entered on the target servers. Additionally, residues of custom-built port scanners and several other attack tools have been found on the victim
servers, leading us to believe the attackers use the initially infected servers as a pivot to manually spread to the entire network. More recent versions of the Explosive
Trojan contain a configurable option for USB infection. When this option is enabled, Explosive Infects any writable mass storage device connected to the server. This can be used to infect additional servers in environments where operational mass storage devices are shared between servers, as well as infect an administrator’s home or office machines.
Volatile Cedar is a highly targeted and very well-managed campaign. Its targets are carefully chosen, confining the infection spread to the bare minimum required to achieve the attacker’s goal while minimizing the risk of exposure. Our analysis leads us to believe that the attackers conduct a fair amount of intelligence gathering to tailor each infection to its specific target.
The campaign’s initial targets are mostly public web servers, running the Windows operating system. We believe this is because these servers serve as publicly exposed, easily accessible gateways to private and more secure internal networks. As these servers have a common business functionality, their security is often sacrificed for productivity, making them an easy target for attackers.
Once the attacker gains control over these servers, he can use them as a pivot point to explore, identify, and attack additional targets located deeper inside the internal network.
Volatile Cedar 
The typical attack begins with a vulnerability scan of the target server. Once an exploitable vulnerability is located, it is used to inject a web shell code into the server. The web shell is then used by the attacker to control the victim server and is the means
through which the ExplosiveTrojan is implanted into the victim server.
This Trojan allows the attackers to send commands to all targets via an array of C&C servers. The command list contains all the functionality required by the attacker to maintain control and extract information from the servers and includes keylogging, clipboard logging, screenshots, run commands, etc.
Occasionally, mostly in cases where large data extractions are required, the attacker sets up additional SSH tunnels connecting to the attacker-controlled servers.
The first evidence of any Explosiveversion was detected in November 2012. Over the course of the timeline, several versions have been detected. New version release dates appear to be closely related to the occurrence of an AV detection event on the previous version, a fact which emphasizes the efforts taken to conceal the attack.





Collecting, translating, producing, and disseminating open source information that meets the needs of policymakers, the military, state and local law enforcement, operations officers, and analysts through-out Governments.
This entry was posted in CYBER CRIME, CYBER TERRORISM, Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s