Names | Dark Caracal (Lookout) ATK 27 (Thales) TAG-CT3 (Recorded Future) | |
Country | Lebanon | |
Sponsor | State-sponsored, General Directorate of General Security (GDGS) | |
Motivation | Information theft and espionage | |
First seen | 2007 | |
Description | (Lookout) Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal, a persistent and prolific actor, who at the time of writing is believed to be administered out of a building belonging to the Lebanese General Security Directorate in Beirut. At present, we have knowledge of hundreds of gigabytes of exfiltrated data, in 21+ countries, across thousands of victims. Stolen data includes enterprise intellectual property and personally identifiable information. We are releasing more than 90 indicators of compromise (IOC) associated with Dark Caracal including 11 different Android malware IOCs; 26 desktop malware IOCs across Windows, Mac, and Linux; and 60 domain/IP based IOCs. Dark Caracal targets include individuals and entities that a nation state might typically attack, including governments, military targets, utilities, financial institutions, manufacturing companies, and defense contractors. We specifically uncovered data associated with military personnel, enterprises, medical professionals, activists, journalists, lawyers, and educational institutions during this investigation. Types of data include documents, call records, audio recordings, secure messaging client content, contact information, text messages, photos, and account data. | |
Observed | Sectors: Defense, Education, Financial, Government, Healthcare, Manufacturing, Media, Utilities and activists, lawyers and journalists. Countries: China, France, Germany, India, Italy, Jordan, Lebanon, Nepal, Netherlands, Pakistan, Philippines, Qatar, Russia, Saudi Arabia, South Korea, Switzerland, Syria, Thailand, USA, Venezuela, Vietnam. | |
Tools used | Bandook, CrossRAT, FinFisher, Pallas. | |
Operations performed | Jan 2012 | Operation “Dark Caracal” <https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf> |
2020 | During this past year, dozens of digitally signed variants of this once commodity malware started to reappear in the threat landscape, reigniting interest in this old malware family. <https://research.checkpoint.com/2020/bandook-signed-delivered/> | |
Information | <https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf> <https://www.dropbox.com/s/qjkcd56v3fhkjou/Whitepaper Dark Caracal Campaign.pdf?dl=0> | |
MITRE ATT&CK | <https://attack.mitre.org/groups/G0070/> |
Last change to this card: 09 December 2021
Download this actor card in PDF or JSON format
Previous: Dalbit
Next: DarkCasino
Digital Service Security Center Follow us on |
Report incidents |
|
+66 (0)2-123-1227 | ||
[email protected] |