TACTICAL CYBER INTELLIGENCE REPORT
Actor Type: II
Serial: TR-18-026-001
Countries: all
Report Date: 20180126
Dark Caracal APT Group
Researchers have identified an Advanced Persistent Threat group (APT) identified as Dark Caracal (DC). DC claims to have stolen hundreds of gigabytes of data including personal identifiable information. The types of stolen data include audio recordings, text messages, call records, documents, photos, contact information, secure messaging client content, account data, and enterprise intellectual property.
Their spyware can be used with multiple operating systems, including Android, Windows, Mac and Linux. In total, DC claims to have collected more than 252,000 contacts, 485,000 text messages and 150,000 call records from infected Android devices. Sensitive data such as personal photos, bank passwords and PIN numbers were stolen.[1] DC has conducted, at minimum, ten hacking campaigns since 2012; mainly through Android users. Users in twenty-one countries were targeted, including North America, Europe, the Middle East and Asia. A multiplatform cyber espionage campaign was conducted.[2]
Infection Techniques
The DC attackers sent spear phishing emails to numerous targets. Cyber research led to data associated with military personnel, enterprises, medical professionals, activists, journalists, lawyers and education institutions. In some cases, instead of luring victims to a malicious site, the attackers had actual physical access to user’s phones to install their malicious apps. The malware being distributed by the trojanized secure messaging app is called, “Pallas.” The app maintained full functionality while Dark Caracal exfiltrated victims’ sensitive data.
Impact and Capability
The Pallas malware is capable of performing the following functions:
- Collecting photos from camera apps
- Reading all text messages
- Retrieving GPS coordinates
- Activating device microphone and record audio
- Collecting individual contacts
- Scanning nearby Wi-Fi access points and retrieving data
- Retrieving chat content from secure messaging applications (this only applies when a victim is using a secure messaging app that has been trojanized with Pallas)
- Retrieving device metadata
- Retrieving account information
- Sending SMS to attacker’s specified number
- Reading call logs
- Retrieving databases and corresponding keys of messaging applications
- Collecting lists of installed applications and packages
- Downloading and installing additional applications
- Uploading specific files
- Deleting specified files
- Harvesting credentials using phishing pop-ups
- Contacting C2 servers
Besides using its own custom malware, Dark Caracel also used Finfisher.[3] Finfisher is a highly sophisticated surveillance tool often marketed to law enforcement and government agencies. An additional spyware tool named CrossRAT, which infects Windows, Linux and Mac OS X systems, has also been used by DC.
Mitigation and Prevention Strategies
The best way to prevent such infections is to download applications from trusted sites and Android applications. And only from Google Play store or other trusted sites.
Contact the Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com
[1] https://thehackernews.com/2018/01/dark-caracal-android-malware.html
[2] https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf
Comments