Group description: Dark Caracal

Dark Caracal, Group G0070 | MITRE ATT&CK® ATT&CK v19 will be released April 28th! Check out this blog post for information on the planned deprecation of Enterprise's Defense Evasion tactic in the upcoming release. Home Groups Dark Caracal Dark Caracal Dark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. [1] ID: G0070 Version : 1.4 Created: 17 October 2018 Last Modified: 11 April 2024 Version Permalink Live Version ATT&CK ® Navigator Layers Enterprise Layer download view Mobile Layer download view Techniques Used Domain ID Name Use Enterprise T1071 .001 Application Layer Protocol : Web Protocols Dark Caracal 's version of Bandook communicates with their server over a TCP port using HTTP payloads Base64 encoded and suffixed with the string "&&&". [1] Enterprise T1547 .001 Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder Dark Caracal 's version of Bandook adds a registry key to HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run for persistence. [1] Enterprise T1059 .003 Command and Scripting Interpreter : Windows Command Shell Dark Caracal has used macros in Word documents that would download a second stage if executed. [1] Enterprise T1005 Data from Local System Dark Caracal collected complete contents of the 'Pictures' folder from compromised Windows systems. [1] Enterprise T1189 Drive-by Compromise Dark Caracal leveraged a watering hole to serve up malicious code. [1] Enterprise T1083 File and Directory Discovery Dark Caracal collected file listings of all default Windows directories. [1] Enterprise T1027 .002 Obfuscated Files or Information : Software Packing Dark Caracal has used UPX to pack Bandook . [1] .013 Obfuscated Files or Information : Encrypted/Encoded File Dark Caracal has obfuscated strings in Bandook by base64 encoding, and then encrypting them. [1] Enterprise T1566 .003 Phishing : Spearphishing via Service Dark Caracal spearphished victims via Facebook and Whatsapp. [1] Enterprise T1113 Screen Capture Dark Caracal took screenshots using their Windows malware. [1] Enterprise T1218 .001 System Binary Proxy Execution : Compiled HTML File Dark Caracal leveraged a compiled HTML file that contained a command to download and run an executable. [1] Enterprise T1204 .002 User Execution : Malicious File Dark Caracal makes their malware look like Flash Player, Office, or PDF documents in order to entice a user to click on it. [1] Mobile T1437 .001 Application Layer Protocol : Web Protocols Dark Caracal controls implants using standard HTTP communication. [1] Software ID Name References Techniques S0234 Bandook [1] [2] Audio Capture , Command and Scripting Interpreter : Windows Command Shell , Command and Scripting Interpreter , Command and Scripting Interpreter : PowerShell , Command and Scripting Interpreter : Visual Basic , Command and Scripting Interpreter : Python , Data from Local System , Deobfuscate/Decode Files or Information , Encrypted Channel : Symmetric Cryptography , Exfiltration Over C2 Channel , File and Directory Discovery , Indicator Removal : File Deletion , Ingress Tool Transfer , Input Capture : Keylogging , Local Storage Discovery , Native API , Non-Application Layer Protocol , Obfuscated Files or Information : Steganography , Peripheral Device Discovery , Phishing : Spearphishing Attachment , Process Injection : Process Hollowing , Screen Capture , Subvert Trust Controls : Code Signing , System Network Configuration Discovery , User Execution : Malicious File , Video Capture S0235 CrossRAT [1] Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Boot or Logon Autostart Execution : XDG Autostart Entries , Create or Modify System Process : Launch Agent , File and Directory Discovery , Screen Capture S0182 FinFisher [1] Abuse Elevation Control Mechanism : Bypass User Account Control , Access Token Manipulation : Token Impersonation/Theft , Audio Capture , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Create or Modify System Process : Windows Service , Deobfuscate/Decode Files or Information , Exploitation for Privilege Escalation , File and Directory Discovery , Hijack Execution Flow : DLL , Hijack Execution Flow : KernelCallbackTable , Indicator Removal : Clear Windows Event Logs , Input Capture : Credential API Hooking , Location Tracking , Masquerading : Match Legitimate Resource Name or Location , Obfuscated Files or Information : Software Packing , Obfuscated Files or Information : Junk Code Insertion , Obfuscated Files or Information , Pre-OS Boot : Bootkit , Process Discovery , Process Injection : Dynamic-link Library Injection , Protected User Data : Call Log , Protected User Data : SMS Messages , Query Registry , Screen Capture , Software Discovery : Security Software Discovery , System Information Discovery , Virtualization/Sandbox Evasion : System Checks S0399 Pallas [1] Audio Capture , Exfiltration Over C2 Channel , Indicator Removal on Host : File Deletion , Input Capture : GUI Input Capture , Location Tracking , Obfuscated Files or Information , Protected User Data : Call Log , Protected User Data : Contact List , Protected User Data : SMS Messages , Software Discovery , Stored Application Data , System Information Discovery , System Network Connections Discovery , Video Capture References Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021. × load more results