A new malware espionage campaign named Dark Caracal discovered infecting thousands of people in more than 20 countries
A new malware espionage campaign named Dark Caracal discovered infecting thousands of people in more than 20 countries.The campaign has been active since 2012 stealing Hundreds of gigabytes of data from victims around the world through mobile devices compromised by fake messaging apps.The trojanized app list includes Whatsapp, Signal, Threema, Primo.
Read more on: Skygofree Malware Can Secretly Record Audio And Steal Whatsapp MessagesSecurity researchers from The Electronic Frontier Foundation (EFF) and mobile security company Lookout discovered the threat and said that they traced out the operations of Dark Caracal in an office controlled by Lebanese General Security Directorate in Beirut.“People in the U.S., Canada, Germany, Lebanon, and France have been hit by Dark Caracal. Targets include military personnel, activists, journalists, and lawyers, and the types of stolen data range from call records and audio recordings to documents and photos, This is a very large, global campaign, focused on mobile devices. Mobile is the future of spying because phones are full of so much data about a person’s day-to-day life.”Researchers discovered that the Dark Caracal is using the same infrastructure seen in the operation manul campaign which was seen targeting journalist, lawyers, and dissidents critical of the government of Kazakhstan.The types of data stolen in the attack include call records, secure messaging client content, audio recordings, contact information, documents text messages, photos, and account data.Dark Caracal uses mobile as the primary attack platform and the threat identified is one of the first global-scale active mobile APTs.“Dark Caracal follows the typical attack chain for cyber-espionage. They rely primarily on social media, phishing, and in some cases physical access to compromise target systems, devices, and accounts”.Researchers discovered that Dark Caracal uses custom developed Pallas mobile malware which targets Android devices and is distributed through trojanized apps.The malware does not make use any of the zero-day vulnerabilities in Android instead of that “it primarily rely on the permissions granted at the installation in order to access sensitive user data.”Dark caracal also uses FinFisher which is a surveillance tool created by a lawful intercept company.It also makes uses of Windows malware called Bandook RAT and another multi-platform tool named CrossRat which targets Windows, Linux, and macOS.“One of the interesting things about this ongoing attack is that it doesn’t require a sophisticated or expensive exploit. Instead, all Dark Caracal needed was application permissions that users themselves granted when they downloaded the apps, not realizing that they contained malware, This research shows it’s not difficult to create a strategy allowing people and governments to spy on targets around the world”.One of the reasons why Dark caracal remained unknown and unreported for last six years is most of the Dark caracal work was misattributed to other cybercrime groups such as APT28, Fancy Bear, Appin.For more details, you can visit the report published by researchers here.
Read more on: RubyMiner Malware found Targeting outdated Linux and Windows Servers