Dark Caracal

Introduction

Dark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. Lookout Dark Caracal Jan 2018

Activities and Tactics

Country of Origin: 🏳️ Lebanon

Risk Level: High

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

• T1027.013 Encrypted/Encoded File
• T1059.003 Windows Command Shell
• T1071.001 Web Protocols
• T1204.002 Malicious File
• T1027.002 Software Packing
• T1218.001 Compiled HTML File
• T1189 Drive-by Compromise
• T1547.001 Registry Run Keys / Startup Folder
• T1083 File and Directory Discovery
• T1566.003 Spearphishing via Service
• T1005 Data from Local System
• T1113 Screen Capture
• T1437.001 Web Protocols

ATT&CK technique IDs (denormalized)

• T1005
• T1027.002
• T1027.013
• T1059.003
• T1071.001
• T1083
• T1113
• T1189
• T1204.002
• T1218.001
• T1437.001
• T1547.001
• T1566.003

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

• Dark DDoSeR
• CrossRat
• Pallas Bandook CrossRAT Infected Documents:

MITRE ATT&CK Software

• FinFisher (S0182) — malware
• CrossRAT (S0235) — malware
• Bandook (S0234) — malware
• Pallas (S0399) — malware

Attribution and Evidence

Country of Origin: Lebanon Additional attribution information pending cataloguing.

References

[1] mitre-attack [3] Lookout Dark Caracal Jan 2018 Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.