Skip to content

G0070 Dark Caracal

Dark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. 1

Item Value
ID G0070
Associated Names
Version 1.3
Created 17 October 2018
Last Modified 11 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Dark Caracal‘s version of Bandook communicates with their server over a TCP port using HTTP payloads Base64 encoded and suffixed with the string “&&&”.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Dark Caracal‘s version of Bandook adds a registry key to HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run for persistence.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Dark Caracal has used macros in Word documents that would download a second stage if executed.1
enterprise T1005 Data from Local System Dark Caracal collected complete contents of the ‘Pictures’ folder from compromised Windows systems.1
enterprise T1189 Drive-by Compromise Dark Caracal leveraged a watering hole to serve up malicious code.1
enterprise T1083 File and Directory Discovery Dark Caracal collected file listings of all default Windows directories.1
enterprise T1027 Obfuscated Files or Information Dark Caracal has obfuscated strings in Bandook by base64 encoding, and then encrypting them.1
enterprise T1027.002 Software Packing Dark Caracal has used UPX to pack Bandook.1
enterprise T1566 Phishing -
enterprise T1566.003 Spearphishing via Service Dark Caracal spearphished victims via Facebook and Whatsapp.1
enterprise T1113 Screen Capture Dark Caracal took screenshots using their Windows malware.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.001 Compiled HTML File Dark Caracal leveraged a compiled HTML file that contained a command to download and run an executable.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Dark Caracal makes their malware look like Flash Player, Office, or PDF documents in order to entice a user to click on it.1
mobile T1437 Application Layer Protocol -
mobile T1437.001 Web Protocols Dark Caracal controls implants using standard HTTP communication.1

Software

ID Name References Techniques
S0234 Bandook 12 Audio Capture Windows Command Shell:Command and Scripting Interpreter Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Python:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter Data from Local System Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel File and Directory Discovery File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Native API Non-Application Layer Protocol Steganography:Obfuscated Files or Information Peripheral Device Discovery Spearphishing Attachment:Phishing Process Hollowing:Process Injection Screen Capture Code Signing:Subvert Trust Controls System Information Discovery System Network Configuration Discovery Malicious File:User Execution Video Capture
S0235 CrossRAT 1 Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Launch Agent:Create or Modify System Process File and Directory Discovery Screen Capture
S0182 FinFisher 1 Bypass User Account Control:Abuse Elevation Control Mechanism Token Impersonation/Theft:Access Token Manipulation Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Service:Create or Modify System Process Deobfuscate/Decode Files or Information Exploitation for Privilege Escalation File and Directory Discovery DLL Search Order Hijacking:Hijack Execution Flow KernelCallbackTable:Hijack Execution Flow DLL Side-Loading:Hijack Execution Flow Clear Windows Event Logs:Indicator Removal Credential API Hooking:Input Capture Location Tracking Match Legitimate Name or Location:Masquerading Binary Padding:Obfuscated Files or Information Software Packing:Obfuscated Files or Information Obfuscated Files or Information Bootkit:Pre-OS Boot Process Discovery Dynamic-link Library Injection:Process Injection SMS Messages:Protected User Data Call Log:Protected User Data Query Registry Screen Capture Security Software Discovery:Software Discovery System Information Discovery System Checks:Virtualization/Sandbox Evasion
S0399 Pallas 1 Audio Capture Exfiltration Over C2 Channel File Deletion:Indicator Removal on Host GUI Input Capture:Input Capture Location Tracking Obfuscated Files or Information SMS Messages:Protected User Data Contact List:Protected User Data Call Log:Protected User Data Software Discovery Stored Application Data System Information Discovery System Network Connections Discovery Video Capture

References

  1. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018. 

  2. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.