A new malware espionage campaign is hitting utilities and manufacturing companies among other victims and is covering more than 20 countries in North America, Europe, the Middle East, and Asia, researchers said.
In addition to utilities and manufacturing companies, the malware is also going after activists, journalists, lawyers, the military and enterprises, according to the Electronic Frontier Foundation (EFF) and mobile security company Lookout.
Dark Caracal is the name of the threat and its history goes back to 2012.
“This report uncovers a prolific actor with nation-state level advanced persistent threat (APT) capabilities, who is exploiting targets globally across multiple platforms,” the researchers said in the report. “The actor has been observed making use of desktop tooling, but has prioritized mobile devices as the primary attack vector. This is one of the first publicly documented mobile APT actors known to execute espionage on a global scale.”
As a part of the assault, the attackers were in search of SMS messages, call records, contacts, account information, WhatsApp, Telegram and Skype databases, files, legal and corporate documentation, photos, audio recordings, iPhone backups, and so on.
The attackers hit Android devices and Windows PCs, the researchers said.
The malware was able to exfiltrate data from Android devices via Trojan-based messaging apps (Signal, WhatsApp, Threema, Primo, Plus Messanger), security/privacy apps (Psiphon VPN, Orbot: TOR Proxy), or other apps (Adobe Flash, Google Play Push).
The apps, the researchers said, retained the legitimate functionality so they would not raise suspicion, but were also capable of spying on users and stealing information.
The malware, called Pallas, used to compromise Windows machines and spy on users’ activity includes the Bandook RAT and CrossRAT.
“Neither the desktop nor the mobile malware tooling use Zero Day vulnerabilities,” Lookout researchers said.
The malware relies on the permissions granted at installation in order to access sensitive user data, researchers said. There is functionality that allows an attacker to instruct an infected device to download and install additional applications or updates.
The desktop malware comes in a range of file types. There were no Zero Days or publicly known exploits located in the files.
The malware ended up going out to the victims via social engineering and spear-phishing.
The researchers believe the Dark Caracal threat is coming out of the headquarters of the General Directorate of General Security (GDGS) in Beirut, Lebanon.
Among the many infected devices, they identified some test devices. Within the cluster of test devices, they noticed what could be unique Wi-Fi networks, and discovered they are mapped to Beirut (some near the GDGS building).
Also, the logins into the administrative console of the C2 server come from three IP addresses, two of which have been geo-located just south of the GDGS’s building.
The infrastructure they uncovered serves a broad set of purposes: it includes command & control servers, servers for storing exfiltrated data, phishing content and malware, an Android App Store hosting malware, and so on.
“The joint Lookout-EFF investigation began after EFF released its Operation Manul report, highlighting a multi-platform espionage campaign targeted at journalists, activists, lawyers, and dissidents who were critical of President Nursultan Nazarbayev’s regime in Kazakhstan,” researchers said.
“After investigating related infrastructure and connections to Operation Manul, the team concluded that the same infrastructure is likely shared by multiple actors and is being used in a new set of campaigns. The diversity of seemingly unrelated campaigns that have been carried out from this infrastructure suggests it is being used simultaneously by multiple groups.”
This makes them believe that someone is renting out the Dark Caracal spyware platform to different nation-state actors.