The malware researchers from ZLab analyzed a collection of samples related to a new APT tracked as Dark Caracal, which was discovered by Electronic Frontier Foundation in collaboration with Lookout Mobile Security.
Dark Caracal has been active at least since 2012, but only recently it was identified as a powerful threat actor in the cyber arena.
The first analysis of the APT linked it to Lebanese General Directorate of General Security.
Dark Caracal is behind a number of stealth hacking campaigns that in the last six years, aimed to steal text messages, call logs, and files from journalists, military staff, corporations, and other targets in 21 countries worldwide.
One of their most powerful campaigns started in the first months of last year, using a series of trojanized Android applications to steal sensitive data from the victim’s mobile device. The trojan injected in these applications is known in the threat landscape with the name Pallas.
Threat actors use the “repackaging” technique to generate its samples, they start from a legitimate application and inject the malicious code before rebuilding the apk.
The target applications belongs to specific categories, such as social chat app (Whatsapp, Telegram, Primo), secure chat app (Signal, Threema), or software related to secure navigation (Orbot, Psiphon).
The attackers used social engineering techniques to trick victims into installing the malware. Attackers use SMS, a Facebook message or a Facebook post, which invites the victim to download a new version of the popular app through from a specific URL
http://secureandroid[.]info,
All the trojanized app are hosted at the same URL.
This malware is able to collect a large amount of data and to send it to a C&C through an encrypted URL that is decrypted at runtime. The capabilities of the trojan are:
Further details are included in the complete report published by CSE.
You can download the full ZLAB Malware Analysis Report at the following URL:
20180212_CSE_DARK_CARACAL_Pallas_Report.pdf
[adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs – Dark Caracal, Pallas malware)
[adrotate banner=”5″]
[adrotate banner=”13″]
North Korea-linked actors deploy a new Linux variant of FASTCash malware to target financial systems,…
WordPress Jetpack plugin issued an update to fix a critical flaw allowing logged-in users to…
Pokemon dev Game Freak confirmed that an August cyberattack led to source code leaks and…
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Fortinet products and Ivanti CSA bugs to…
An alleged nation-state actor exploited three zero-day vulnerabilities in Ivanti Cloud Service Appliance (CSA) in…
Dutch police dismantled Bohemia/Cannabia, two major dark web markets for illegal goods, drugs, and cybercrime…
This website uses cookies.