Dark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. (Citation: Lookout Dark Caracal Jan 2018)
| Platform | Tactic | Technique | Description | Data Sources |
|---|---|---|---|---|
| Linux, macOS, Windows | defense-evasion, execution | Scripting | Dark Caracal has used macros in Word documents that would download a second stage if executed. | Process monitoring, File monitoring, Process command-line parameters |
| Windows, Linux, macOS, SaaS | initial-access | Drive-by Compromise | Dark Caracal leveraged a watering hole to serve up malicious code. | Packet capture, Network device logs, Process use of network, Web proxy, Network intrusion detection system, SSL/TLS inspection |
| Windows | persistence | Registry Run Keys / Startup Folder | Dark Caracal's version of Bandook adds a registry key to HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run for persistence. |
Windows Registry, File monitoring |
| Linux, Windows, macOS | execution | User Execution | Dark Caracal makes their malware look like Flash Player, Office, or PDF documents in order to entice a user to click on it. | Anti-virus, Process command-line parameters, Process monitoring |
| Linux, macOS, Windows, GCP, AWS, Azure | collection | Data from Local System | Dark Caracal collected complete contents of the 'Pictures' folder from compromised Windows systems. | File monitoring, Process monitoring, Process command-line parameters |
| Windows | defense-evasion, execution | Compiled HTML File | Dark Caracal leveraged a compiled HTML file that contained a command to download and run an executable. | File monitoring, Process monitoring, Process command-line parameters |
| Windows, macOS, Linux | initial-access | Spearphishing via Service | Dark Caracal spearphished victims via Facebook and Whatsapp. | SSL/TLS inspection, Anti-virus, Web proxy |
| Linux, macOS, Windows | discovery | File and Directory Discovery | Dark Caracal collected file listings of all default Windows directories. | File monitoring, Process monitoring, Process command-line parameters |
| Windows, macOS | defense-evasion | Software Packing | Dark Caracal has used UPX to pack Bandook. | Binary file metadata |
| Linux, macOS, Windows | defense-evasion | Obfuscated Files or Information | Dark Caracal has obfuscated strings in Bandook by base64 encoding, and then encrypting them. | Network protocol analysis, Process use of network, File monitoring, Malware reverse engineering, Binary file metadata, Process command-line parameters, Environment variable, Process monitoring, Windows event logs, Network intrusion detection system, Email gateway, SSL/TLS inspection |
| Linux, macOS, Windows | command-and-control | Standard Application Layer Protocol | Dark Caracal's version of Bandook communicates with their server over a TCP port using HTTP payloads Base64 encoded and suffixed with the string “&&&”. | Packet capture, Netflow/Enclave netflow, Process use of network, Malware reverse engineering, Process monitoring |
| Linux, macOS, Windows | collection | Screen Capture | Dark Caracal took screen shots using their Windows malware. | API monitoring, Process monitoring, File monitoring |
| Android, iOS | command-and-control, exfiltration | Standard Application Layer Protocol | Dark Caracal controls implants using standard HTTP communication. | |
| Android, iOS | initial-access | Deliver Malicious App via Other Means | Dark Caracal distributes Pallas via trojanized applications hosted on watering hole websites. |