Researchers from non-profit campaign group ElectronicFrontier Foundation (EFF) and mobile security group Lookout have together uncovered malware that targets individuals such as military personnel, journalists, lawyers, and activists, using fake apps that look like popular messaging apps like WhatsApp and Signal.
The malware, dubbed “Dark Caracal” by the researchers, targets known Android weaknesses and iOS has not been affected by it.
According to their report on Dark Caracal (See BeLow), the malware was traced back to a server in a Lebanese government building — a building belonging to the Lebanese General Security Directorate in Beirut, Lebanon — and seems like the threat could be coming from a nation-state.
“We have identified hundreds of gigabytes of data exfiltrated from thousands of victims, spanning 21+ countries in North America, Europe, the Middle East, and Asia,” the report read.
“This is a very large, global campaign, focused on mobile devices. Mobile is the future of spying because phones are full of so much data about a person’s day-to-day life,” said EFF Director of Cybersecurity Eva Galperin.
Data stolen through the spyware includes documents, call records, audio recordings, secure messaging client content, contact information, text messages, photos, and account data.
According to EFF, WhatsApp or Signal have not been compromised, and Google has confirmed that the infected apps were not downloaded from its Play Store. Instead, the attackers use “spearphishing” to get these fake apps on targets’ phones, which is a phishing attack that specifically targets an individual using information the attacker has on the victim.
“All Dark Caracal needed was application permissions that users themselves granted when they downloaded the apps, not realizing that they contained malware,” said EFF Staff Technologist Cooper Quintin.
Dark Caracal has reportedly been operating since 2012 but has been unable to track down because of the number of similar attacks happening all over the world that have repeatedly been misattributed to other cybercrime groups.
This research has shed light on how governments and people are able to spy on individuals all over the world.
Executive Summary
As the modern threat landscape has evolved, so have the actors. The barrier to entry for cyber-warfare has continued to decrease, which means new nation states — previously without significant offensive capabilities— are now able to build and deploy widespread multi-platform cyber-espionage campaigns.
This report uncovers a prolific actor with nation-state level advanced persistent threat (APT) capabilities, who is exploiting targets globally across multiple platforms. The actor has been observed making use of desktop tooling, but has prioritized mobile devices as the primary attack vector. This is one of the first publicly documented mobile APT actors known to execute espionage on a global scale.
Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal, a persistent and prolific actor, who at the time of writing is believed to be administered out of a building belonging to the Lebanese General Security Directorate in Beirut.
At present, we have knowledge of hundreds of gigabytes of exfiltrated data, in 21+ countries, across thousands of victims. Stolen data includes enterprise intellectual property and personally identifiable information. We are releasing more than 90 indicators of compromise (IOC) associated with Dark Caracal including 11 different Android malware IOCs; 26 desktop malware IOCs across Windows, Mac, and Linux; and 60 domain/IP based IOCs.
Dark Caracal targets include individuals and entities that a nation state might typically attack, including governments, military targets, utilities, financial institutions, manufacturing companies, and defense contractors. We specifically uncovered data associated with military personnel, enterprises, medical professionals, activists, journalists, lawyers, and educational institutions during this investigation. Types of data include documents, call records, audio recordings, secure messaging client content, contact information, text messages, photos, and account data.
The joint Lookout-EFF investigation began after EFF released its Operation Manul report, highlighting a multi-platform espionage campaign targeted at journalists, activists, lawyers, and dissidents who were critical of President Nursultan Nazarbayev’s regimein Kazakhstan.
The report describes malware and tactics targeting desktop machines, with references to a possible Android component.
After investigating related infrastructure and connections to Operation Manul, the team concluded that the same infrastructure is likely shared by multiple actors and is being used in a new set of campaigns.
The diversity of seemingly unrelated campaigns that have been carried out from this infrastructure suggests it is being used simultaneously by multiple groups. Operation Manul clearly targeted persons of interest to Kazakhstan, while Dark Caracal has given no indication of an interest in these targets or their associates. This suggests that Dark Caracal either uses or manages the infrastructure found to be hosting a number of widespread, global cyber-espionage campaigns.
Since 2007, Lookout has investigated and tracked mobile security events across hundreds of millions of devices around the world.
This mobile espionage campaign is one of the most prolific we have seen to date. Additionally, we have reason to believe the activity Lookout and EFF have directly observed represents only a small fraction of the cyber-espionage that has been conducted using this infrastructure.
SECURITY RESEARCH REPORT
Key Findings
- Our research shows that Dark Caracal may be administering its tooling out of the headquarters of the General Directorate of General Security (GDGS) in Beirut, Lebanon.
- The GDGS gathers intelligence for national security purposes and
for its offensive cyber capabilities according to previous reports.
- We have identified four Dark Caracal personas with overlapping TTP (tools, techniques, and procedures).
- Dark Caracal is using the same infrastructure as was previously seen in the Operation Manul campaign, which targeted journalists, lawyers, and dissidents critical of the government of Kazakhstan.
- Dark Caracal has been conducting a multi-platform, APT-leve surveillance operation targeting individuals and institutions globally.
- Dark Caracal has successfully run numerous campaigns in parallel and we know that the data we have observed is only a small fraction of the total activity.
- We have identified hundreds of gigabytes of data exfiltrated from thousands of victims, spanning 21+ countries in North America, Europe, the Middle East, and Asia.
- The mobile component of this APT is one of the first we’ve seen executing espionage on a global scale.
- Analysis shows Dark Caracal successfully compromised the devices of military personnel, enterprises, medical professionals, activists, journalists, lawyers, and educational institutions.
- Dark Caracal targets also include governments, militaries, utilities, financial institutions, manufacturing companies, and defense contractors.
- Types of exfiltrated data include documents, call records, audio recordings, secure messaging client content, contact information, text messages, photos, and account data.
- Dark Caracal follows the typical attack chain for cyber-espionage.
They rely primarily on social media, phishing, and in some cases physical access to compromise target systems, devices, and accounts.
- Dark Caracal uses tools across mobile and desktop platforms.
- Dark Caracal uses mobile as a primary attack platform.
- Dark Caracal purchases or borrows mobile and desktop tools from actors on the dark web.
- Lookout discovered Dark Caracal’s custom-developed mobile surveillanceware (that we call Pallas) in May 2017. Pallas is found in trojanized Android apps.
- Dark Caracal has also used FinFisher, a tool created by a “lawful intercept” company that is regularly abused by other nation-state actors.
- Dark Caracal makes extensive use of Windows malware called Bandook RAT. Dark Caracal also uses a previously unknown, multi- platform tool that Lookout and EFF have named CrossRAT, which is able to target Windows, OSX, and Linux.
- Dark Caracal uses a constantly evolving, global infrastructure.
- Lookout and EFF researchers have identified parts of Dark
Caracal’s infrastructure, providing us with unique insight into its global operations.
- The infrastructure operators prefer to use Windows and XAMPP software on their C2 servers rather than a traditional LAMP stack, which provides a unique fingerprint when searching for related infrastructure.
- Lookout and EFF have identified infrastructure shared by Operation Manul and Dark Caracal as well as other actors.
- Attributing Dark Caracal was difficult as the actor employs multiple types of malware, and our analysis suggests the infrastructure is also being used by other groups.
Lookout and EFF are releasing more than 90 indicators of compromise (IOC):
- 11 Android malware IOCs
- 26 desktop malware IOCs
- 60 domains, IP Addresses, and WHOIS information
Read Full Study Lookout_Dark-Caracal_srr_20180118_us_v.1.0
Backgrounder