Mobile

1/23/2018
05:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Dark Caracal Campaign Breaks New Ground with Focus on Mobile Devices

This is the first known global-scale campaign primarily focused on stealing data from Android devices, Lookout and EFF say.

An advanced persistent threat (APT) group operating out of a building belonging to a Lebanese intelligence agency in Beirut has stolen hundreds of gigabytes of data from Android devices and desktop systems belonging to thousands of victims in over 20 countries, including the US.

Targets of the global cyber-espionage campaign by the so-called Dark Caracal group have included government and military personnel, defense contactors, activists, and journalists in North America, Europe, and Asia, researchers from Lookout and the Electronic Frontier Foundation said in a report last week.

The two organizations described Dark Caracal's activities as targeting multiple platforms globally but being especially noteworthy for its unprecedented focus on mobile devices. "This is one of the first publicly documented mobile APT actors known to execute espionage on a global scale," Lookout and EFF said in the report.

Michael Flossman, lead of security research at Lookout, says available data suggests Dark Caracal began operations in 2012 and that some of its campaigns were still operational through the fall and winter of 2016 and into 2017. However, significant portions of Dark Caracal's infrastructure no longer appear to be live, he says.

"Attackers are increasingly going after mobile devices because of the access to both personal and corporate data these devices contain or can grant access to," Flossman says. "When it comes to malicious actors creating and deploying an Android surveillance capability, the barrier to entry is low and a high technical sophistication is not a prerequisite for success."

Lookout and EFF have released more than 90 indicators of compromise associated with the Dark Caracal threat. The list includes 11 Android indicators of compromise (IOCs) and 26 IOCs for desktop malware targeting Windows, Linux, and Mac systems.

A lot of the data that Dark Caracal has stolen was obtained from Android devices using Trojanized versions of popular applications like WhatsApp and Signal. Instead of using zero-day and other exploits, the group simply relied on targets making mistakes and downloading malicious apps on their devices.

The type of data the group has stolen includes location information and call records, text messages, contact information, photos, and audio recordings from infected devices.

The group's mobile attack malware includes Pallas, a custom-developed Android surveillance tool and a previously unseen lawful-intercept mobile surveillance software product from FinFisher.

Dark Caracal uses phishing as its primary attack vector, Flossman says. "We uncovered a number of Facebook groups as well as text messages that would phish a user into visiting a third-party party Android App Store called Secure Android," he says.

From here the user would install a working copy of apps such as WhatsApp, Signal, and Telegram, which would work exactly like the real thing but come embedded with the Pallas data-stealing tool. There's also evidence to suggest that in some cases Dark Caracal infected devices by gaining physical access to them, Flossman says.

While mobile devices appear to be the primary target, Dark Caracal also has tools for breaking into and stealing from Windows and other desktop systems. The group has extensively used Bandook, a Trojan for remotely controlling compromised Windows desktop systems. It also has been using CrossRAT, a previously unknown, multiplatform tool designed to target Windows, OS X, and Linux systems, Lookout said in its report.

Many other threat groups have used, and are continuing to use, portions of the same infrastructure that Dark Caracal used for its cyber-espionage campaign, suggesting that the group could be managing the infrastructure, Lookout and EFF said.

The mixed use of the infrastructure has made attribution very difficult. The seemingly unrelated campaigns originating from the same infrastructure have resulted in security researchers misattributing Dark Caracal's work to other threat groups in the past, EFF and Lookout said. One example is EFF itself, which in 2016 attributed a Dark Caracal campaign to Indian cybersecurity firm Appin.

Most organizations likely do not have to worry about the specific threat posed by Dark Caracal because of how targeted it is, EFF said in a blog post. And the group's data-stealing tools for mobile devices are a threat only to individuals who make the mistake of downloading the Trojanized Android apps from unofficial app stores.

Even so, Dark Caracal has wide-reaching implications for how state-sponsored surveillance and malware works. "Mobile is the future of spying, because phones are full of so much data about a person's day-to-day life," EFF said in a separate release.

So far, there is no evidence to suggest that Dark Caracal has gone after iOS users, probably because it does not have the capabilities or the resources needed to break into and steal from iOS devices, Flossman adds.

"Importantly, they haven’t needed to target iOS," he says. "Their espionage campaigns targeting Android have been very successful and considering, geographically, where their targets likely reside, it makes sense that they have an Android focus."

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
Why Enterprises Can't Ignore Third-Party IoT-Related Risks
Charlie Miller, Senior Vice President, The Santa Fe Group,  5/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11232
PUBLISHED: 2018-05-18
The etm_setup_aux function in drivers/hwtracing/coresight/coresight-etm-perf.c in the Linux kernel before 4.10.2 allows attackers to cause a denial of service (panic) because a parameter is incorrectly used as a local variable.
CVE-2017-15855
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, the camera application triggers "user-memory-access" issue as the Camera CPP module Linux driver directly accesses the application provided buffer, which resides in u...
CVE-2018-3567
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing the HTT_T2H_MSG_TYPE_PEER_MAP or HTT_T2H_MSG_TYPE_PEER_UNMAP messages.
CVE-2018-3568
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, in __wlan_hdd_cfg80211_vendor_scan(), a buffer overwrite can potentially occur.
CVE-2018-5827
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing an extscan hotlist event.