An investigation by the Electronic Frontier Foundation and security firm Lookout have uncovered Dark Caracal, a highly advanced spying platform sucking huge amounts of data from mobiles and desktops around the world.
Dark Caracal [PDF] appears to be run out of the Lebanon General Directorate of General Security (GDGS) in Beirut and has slurped hundreds of gigabytes of information, primary from mobile phones and also desktops. It shares infrastructure with a similar state-sponsored surveillance campaign,Operation Manul, which the EFF claims was being run by the Kazak government last year.
“This is definitely one group using the same infrastructure,” Eva Galperin, the EFF’s Director of Cybersecurity told The Register . “We think there’s a third party selling this to governments.”
Dark Caracal has been taking information from thousands of malware-infected targets in over 21 countries, including include documents, call records, audio recordings, secure messaging client content, contact information, text messages, photos, and account data from military, government and business targets, as well as activists and journalists.
Dark Caracal has an impressive geographical reach
After the EFF released the Operation Manul report Lookout went looking through its samples database to try and find the mobile malware responsible. It found it, a custom-made piece of Android malware dubbed Pallas, and this uncovered a larger network of malware and phishing that makes up part of the Dark Caracal network.
The primary mobile attack vector it though trojanized applications being hosted on third-party software markets. The Dark Caracal network made use of a site hosting what appear to be apps like WhatsApp and Signal.
Pallas doesn’t use zero-days, but instead relies on users granting access to a large variety of permissions. Once installed it can surreptitiously record audio from the phone’s microphone, reveal the location, and open up all the data a handset contains.
But instead the forum, secureandroid[.]info, contained apps with malware included. There is also some evidence that the malware was physically installed on phones, although that’s a very time-intensive form of infection.
The infrastructure operators also make extensive use of phishing sites to spread malware and steal credentials. Phony login pages for social media sites and fake new forums are also used to spread malware and steal credentials.
In addition, the Dark Caracal also uses a previously unseen sample of FinFisher, the ‘legitimate’ malware sold to governments by Lench IT Solutions. It’s not known if this was legitimately purchased or a demo version that was adapted.
On the desktop side the Dark Caracal network uses the Bandook trojan previously identified in Operation Manul, coded in Delphi and targeting Windows systems. The initial code is housed in trojanized apps and signed with a legitimate SSL certificate issued by Certum CA, but which then downloads malware from command and control servers once installed.
But the network also uses a new desktop trojan called CrossRAT. Coded in Java the malware can infect Windows, Linux, and OSX systems and, once stalled, tried to spread as much as possible.
Other infection vectors include Microsoft Word documents with macros to run malicious code on a system. It also appears that fake Windows Help files are used to spread infection.
The EFF and Lookout are currently trying to find out who exactly is running the Dark Caracal network. An update is expected in the summer, once attribution can be made with some certainty. ®