Cyber spies belonging to Lebanese General Directorate of General Security are behind a number of stealth hacking campaigns that in the last six years, aimed to steal text messages, call logs, and files from journalists, military staff, corporations, and other targets in 21 countries worldwide.
New nation-state actors continue to improve offensive cyber capabilities and almost any state-sponsored group is able to conduct widespread multi-platform cyber-espionage campaigns.
This discovery confirms that the barrier to entry in the cyber-warfare arena has continued to
decrease and new players are becoming even more dangerous.
The news was reported in a detailed joint report published by security firm Lookout and digital civil rights group the Electronic Frontier Foundation.
The attack chain implemented by Dark Caracal relies primarily on social engineering, the hackers used messages sent to the victims via Facebook group and WhatsApp messages. At a high-level, the hackers have designed three different kinds of phishing messages to trick victims into visiting a compromised website, a typical watering hole attack.
The malicious app could exfiltrate text messages, including two-factor authentication codes, and other data from the victim’s device. Dark Caracal malware is also able to use devices cameras and the microphone to spy on the victims.
Unfortunately, the APT group also used another powerful surveillance software in its campaign, the malware is the dreaded FinFisher, a spyware that is often marketed to law enforcement and government agencies.
Lookout and the EFF launched their investigation in July 2017, the researchers were able to identify the Command and Control infrastructure and determined that the Dark Caracal hackers were running six unique campaigns. Some of the hacking campaigns had been ongoing for years targeting a large number of targets in many countries, including China, the United States, India, and Russia.
“Since we first gained visibility into attacker infrastructure in July 2017, we have seen millions of requests being made to it from infected devices. This demonstrates that Dark Caracal is likely running upwards of six distinct campaigns in parallel, some of which have been operational since January 2012. Dark Caracal targets a broad range of victims.” states the analysis. “Thus far, we have identified members of the military, government officials, medical practitioners, education professionals, academics, civilians from numerous other fields, and commercial enterprises as targets.”
Further details are provided in the technical report that includes more than 90 indicators of
(Security Affairs – Dark Caracal, APT)