A string of new spyware has been detected by security researchers. Dubbed Dark Caracal, the campaigns seem to be operating out of a government building in Lebanon. The campaigns have attacked thousands of victims in at least 21 countries. The broad range of targets also may mean that Dark Caracal is the latest form of spyware for hire, The Verge wrote.
The new findings were made by Lookout Security and the Electronic Frontier Foundation.
Dark Caracal Spyware Campaigns Explained
This is not the first time Dark Caracal has been linked to spyware campaigns stemming from governments. There have been attacks initiated via spear phishing and watering hole attacks that continued with malware implants deployed to covertly siphon data from the targets’ mobile phones.
Leaked data included passwords, phone records and chats – or the type of information that reveals where the target has been and depicts their communications. Even though Dark Caracas is not necessarily sophisticated in its approaches, the damage it can cause can be quite disastrous for the particular individual.
Researchers succeeded to obtain access to one of the hacker-controlled servers, and they were able to link the data to the above mentioned government building in Lebanon. Wi-Fi network records were discovered on the server. Interestingly, most of the connections offered scarce data meaning that they were coming from test devices. One of these connections, called “Bld3F6”, was tracked and linked to a building in Beirut that belongs to Lebanon’s General Directorate of General Security, researchers said. This is Lebanon’s chief intelligence agency.
Within the cluster of test devices we noticed what could be unique Wi-Fi networks. Knowing that Wi-Fi networks can be used for location positioning, we used that data to geo-locate where these devices may have been by keying off network identifiers. We specifically focused on the Wi-Fi network SSID Bld3F6. Using the Wi-Fi geolocation service Wigle.net we saw these test device Wi-Fi networks mapped to Beirut. We also noticed Wi-Fi networks with SSID Bld3F6 mapped near the General Security building in Beirut, Lebanon.
According to Eva Galperin, one of the report’s authors and director at EFF, this “Bld3F6” network is the first that all of the test devices logged into. Researchers were able to see all kinds of information based on that.
Researchers also believe that the spyware is not only linked to Lebanon’s General Directorate of General Security. Six campaigns were tracked and detailed in the report, in areas such as Germany, Pakistan, and Venezuela. The very same attack was also detected in 2015 against dissidents in Kazakhstan. These details are quite important as it’s highly unlikely for Lebanon’s government to be the sole perpetrator. It is far more likely that the Dark Caracas spyware is part of a new spyware service.
Dark Caracal follows the typical attack chain for client-side cyber-espionage. Mobile tools include a custom written Android surveillanceware implant Lookout named Pallasand a previously unknown FinFisher sample. The group’s desktop tools include the Bandook malware family and a newly discovered desktop surveillanceware tool that we have named CrossRAT, which is able to infect Windows, Linux, and OS X operating systems.
For further details, have a look at the original report.