The Dark Caracal APT group has carried out a series of attacks against multiple sectors using a new variant of a 13-year-old backdoor Trojan.
The Dark Caracal cyberespionage group is back, researchers from Check Point uncovered a new series of attack against multiple industries.
The Dark Caracal is an APT group associated with the Lebanese General Directorate of General, in recent attacks it employed a new version of a 13-year-old backdoor Trojan dubbed Bandook.
The Bandook was spotted last time in 2015 and 2017 campaigns, dubbed “Operation Manul” and “Dark Caracal“, respectively attributed to Kazakh and the Lebanese governments. This circumstance suggests that the implant was developed by a third-party actor and used by multiple APT groups.
“During this past year, dozens of digitally signed variants of this once commodity malware started to reappear in the threat landscape, reigniting interest in this old malware family.” reads the report published by Check Point.
“In the latest wave of attacks, we once again identified an unusually large variety of targeted sectors and locations. This further reinforces a previous hypothesis that the malware is not developed in-house and used by a single entity, but is part of an offensive infrastructure sold by a third party to governments and threat actors worldwide, to facilitate offensive cyber operations.”
During the last campaign, the hackers targeted multiple sectors including Government, financial, energy, food industry, healthcare, education, IT, and legal institutions.
The APT group targeted entities in Singapore, Cyprus, Chile, Italy, the USA, Turkey, Switzerland, Indonesia, and Germany.
The infection chain used in the attacks is constantly evolving, in the following image are reported the three main stages.
The first stage leverages a lure Microsoft Word document (e.g. “Certified documents.docx”) delivered inside a ZIP file. Upon opening the archive, malicious macros are downloaded, which subsequently proceeds to drop and execute a second-stage PowerShell script encrypted inside the original Word document.
In the last phase of the attack, the PowerShell script downloads encoded executable parts from legitimate cloud storage services like Dropbox or Bitbucket then assemble the Bandook loader, which injects the RAT into a new Internet Explorer process.
The Bandook RAT is available on the underground market since 2007, it supports common backdoor commands, including capturing screenshots and carrying out various file-related operations.
Experts noticed that the new release of Bandook is a slimmed-down version of the original variant malware and supports only 11 commands out of the 120 commands. The support for a subset of commands suggests the threat actors attempt to remain under the radar.
Experts observed several samples of the malware that were digitally signed with valid certificates issued by Certum. Check Point researchers also spotted two digitally-signed and unsigned variants which they believe are operated by a single entity.
“Some of this campaign’s characteristics and similarities to previous campaigns leads us to believe that the activity we describe in this report is indeed the continuation and evolution of the infrastructure used during the Dark Caracal operation:
- The use of the same certificate provider (Certum) throughout the various campaigns.
- The use of the Bandook Trojan, in what appears to be a unique evolving fork from the same source code (which is not known to be publicly available). Samples from the Dark Caracal campaign (2017) utilized around 100 commands, compared to the current 120 command version we analyzed.
- This wave of attacks shares the same anomalous characteristics for targeted attacks – an extreme variance in the selected targets, both in their industry and their geographic spread.” concluded the experts.
“All evidence points to our belief that the mysterious operators behind the malicious infrastructure of “Operation Manul” and “Dark Caracal” are still alive and operational, willing to assist in the offensive cyber operations to anyone who is willing to pay.”
(SecurityAffairs – hacking, malware)
Share On
Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at “Cyber Defense Magazine”, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog “Security Affairs” recently named a Top National Security Resource for US. Pierluigi is a member of the “The Hacker News” team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books “The Deep Dark Web” and “Digital Virtual Currency and Bitcoin”.
The Dark Caracal APT group has carried out a series of attacks against multiple sectors using a new variant of a 13-year-old backdoor Trojan.
The Dark Caracal cyberespionage group is back, researchers from Check Point uncovered a new series of attack against multiple industries.
The Dark Caracal is an APT group associated with the Lebanese General Directorate of General, in recent attacks it employed a new version of a 13-year-old backdoor Trojan dubbed Bandook.
The Bandook was spotted last time in 2015 and 2017 campaigns, dubbed “Operation Manul” and “Dark Caracal“, respectively attributed to Kazakh and the Lebanese governments. This circumstance suggests that the implant was developed by a third-party actor and used by multiple APT groups.
“During this past year, dozens of digitally signed variants of this once commodity malware started to reappear in the threat landscape, reigniting interest in this old malware family.” reads the report published by Check Point.
“In the latest wave of attacks, we once again identified an unusually large variety of targeted sectors and locations. This further reinforces a previous hypothesis that the malware is not developed in-house and used by a single entity, but is part of an offensive infrastructure sold by a third party to governments and threat actors worldwide, to facilitate offensive cyber operations.”
During the last campaign, the hackers targeted multiple sectors including Government, financial, energy, food industry, healthcare, education, IT, and legal institutions.
The APT group targeted entities in Singapore, Cyprus, Chile, Italy, the USA, Turkey, Switzerland, Indonesia, and Germany.
The infection chain used in the attacks is constantly evolving, in the following image are reported the three main stages.
The first stage leverages a lure Microsoft Word document (e.g. “Certified documents.docx”) delivered inside a ZIP file. Upon opening the archive, malicious macros are downloaded, which subsequently proceeds to drop and execute a second-stage PowerShell script encrypted inside the original Word document.
In the last phase of the attack, the PowerShell script downloads encoded executable parts from legitimate cloud storage services like Dropbox or Bitbucket then assemble the Bandook loader, which injects the RAT into a new Internet Explorer process.
The Bandook RAT is available on the underground market since 2007, it supports common backdoor commands, including capturing screenshots and carrying out various file-related operations.
Experts noticed that the new release of Bandook is a slimmed-down version of the original variant malware and supports only 11 commands out of the 120 commands. The support for a subset of commands suggests the threat actors attempt to remain under the radar.
Experts observed several samples of the malware that were digitally signed with valid certificates issued by Certum. Check Point researchers also spotted two digitally-signed and unsigned variants which they believe are operated by a single entity.
“Some of this campaign’s characteristics and similarities to previous campaigns leads us to believe that the activity we describe in this report is indeed the continuation and evolution of the infrastructure used during the Dark Caracal operation:
- The use of the same certificate provider (Certum) throughout the various campaigns.
- The use of the Bandook Trojan, in what appears to be a unique evolving fork from the same source code (which is not known to be publicly available). Samples from the Dark Caracal campaign (2017) utilized around 100 commands, compared to the current 120 command version we analyzed.
- This wave of attacks shares the same anomalous characteristics for targeted attacks – an extreme variance in the selected targets, both in their industry and their geographic spread.” concluded the experts.
“All evidence points to our belief that the mysterious operators behind the malicious infrastructure of “Operation Manul” and “Dark Caracal” are still alive and operational, willing to assist in the offensive cyber operations to anyone who is willing to pay.”
(SecurityAffairs – hacking, malware)