Operators behind Dark Caracal are still alive and operational

Pierluigi Paganini November 29, 2020

The Dark Caracal APT group has carried out a series of attacks against multiple sectors using a new variant of a 13-year-old backdoor Trojan.

The Dark Caracal cyberespionage group is back, researchers from Check Point uncovered a new series of attack against multiple industries.

The Dark Caracal is an APT group associated with the Lebanese General Directorate of General, in recent attacks it employed a new version of a 13-year-old backdoor Trojan dubbed Bandook.

The Bandook was spotted last time in 2015 and 2017 campaigns, dubbed “Operation Manul” and “Dark Caracal“, respectively attributed to Kazakh and the Lebanese governments. This circumstance suggests that the implant was developed by a third-party actor and used by multiple APT groups.

“During this past year, dozens of digitally signed variants of this once commodity malware started to reappear in the threat landscape, reigniting interest in this old malware family.” reads the report published by Check Point.

“In the latest wave of attacks, we once again identified an unusually large variety of targeted sectors and locations. This further reinforces a previous hypothesis that the malware is not developed in-house and used by a single entity, but is part of an offensive infrastructure sold by a third party to governments and threat actors worldwide, to facilitate offensive cyber operations.”

During the last campaign, the hackers targeted multiple sectors including Government, financial, energy, food industry, healthcare, education, IT, and legal institutions.

The APT group targeted entities in Singapore, Cyprus, Chile, Italy, the USA, Turkey, Switzerland, Indonesia, and Germany.

The infection chain used in the attacks is constantly evolving, in the following image are reported the three main stages.

Dark Caracal malware-attack-flow

The first stage leverages a lure Microsoft Word document (e.g. “Certified documents.docx”) delivered inside a ZIP file. Upon opening the archive, malicious macros are downloaded, which subsequently proceeds to drop and execute a second-stage PowerShell script encrypted inside the original Word document.

In the last phase of the attack, the PowerShell script downloads encoded executable parts from legitimate cloud storage services like Dropbox or Bitbucket then assemble the Bandook loader, which injects the RAT into a new Internet Explorer process.

The Bandook RAT is available on the underground market since 2007, it supports common backdoor commands, including capturing screenshots and carrying out various file-related operations.

Experts noticed that the new release of Bandook is a slimmed-down version of the original variant malware and supports only 11 commands out of the 120 commands. The support for a subset of commands suggests the threat actors attempt to remain under the radar.

Experts observed several samples of the malware that were digitally signed with valid certificates issued by Certum. Check Point researchers also spotted two digitally-signed and unsigned variants which they believe are operated by a single entity.

“Some of this campaign’s characteristics and similarities to previous campaigns leads us to believe that the activity we describe in this report is indeed the continuation and evolution of the infrastructure used during the Dark Caracal operation:

  • The use of the same certificate provider (Certum) throughout the various campaigns.
  • The use of the Bandook Trojan, in what appears to be a unique evolving fork from the same source code (which is not known to be publicly available). Samples from the Dark Caracal campaign (2017) utilized around 100 commands, compared to the current 120 command version we analyzed.
  • This wave of attacks shares the same anomalous characteristics for targeted attacks –  an extreme variance in the selected targets, both in their industry and their geographic spread.” concluded the experts.

“All evidence points to our belief that the mysterious operators behind the malicious infrastructure of “Operation Manul” and “Dark Caracal” are still alive and operational, willing to assist in the offensive cyber operations to anyone who is willing to pay.”

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment