Security researchers at EFF have tracked APTs (Advanced Persistent Threats) targeting civil society for many years now. And while in many cases, the “advanced” appellation is debatable, “persistent” is not. Since 2015, EFF has tracked the cyber-mercenaries known as Dark Caracal, a threat actor who has carried out digital surveillance campaigns on behalf of government interests in Kazakhstan and Lebanon.
Recent activity seems to indicate that this actor is active once again. In November of 2019 the group Malware Hunter Team discovered new samples of the Bandook malware which is associated with Dark Caracal. This time with legitimate signing certificates for Windows (issued by the “Certum” certificate authority,) which would allow them to be run without a warning to the user on any Windows computer. Tipped off by the emergence of new variants of the Bandook Trojan, researchers at Checkpoint found three new variants of Bandook: some expanded (120 commands), some slimmed down (11 commands), and all signed with Certum certificates. The Checkpoint researchers also discovered several new command and control domains in use by Dark Caracal.
In previous campaigns, this actor has displayed impressively lax operational security, enabling researchers to download terabytes of data from their command and control servers. The latest campaign exhibits a somewhat higher level of opsec. Checkpoint reports that targets included “Government, financial, energy, food industry, healthcare, education, IT and legal institutions” in the following countries: Singapore, Cyprus, Chile, Italy, USA, Turkey, Switzerland, Indonesia and Germany.
Recommended Mitigations against Dark Caracal
The Dark Caracal threat actors still seem to primarily use phishing and Office-based macros as their primary method of infection. Because of this, the best step one can take to protect against Dark Caracal is to disable Office macros on your personal devices or that of your entire organization. This is additionally a good basic security hygiene practice. Standard methods to avoid phishing attacks are also good practice. Readers may also take some comfort in the fact that Bandook is currently detected by many, if not most, antivirus products.
The Bandook Trojan
One of the primary signatures of the Dark Caracal threat group is their use of the Bandook Trojan, which is described in the Checkpoint report as follows:
The final payload in this infection chain is a variant of an old full-featured RAT named Bandook. Written in both Delphi and C++, Bandook has a long history, starting in 2007 as a commercially available RAT that was developed by a Lebanese individual nicknamed PrinceAli.
Bandook’s execution flow starts with a loader, written in Delphi, that uses the Process Hollowing technique to create a new instance of an Internet Explorer process and inject a malicious payload into it. The payload contacts the C&C server, sends basic information about the infected machine, and waits for additional commands from the server.
These findings are consistent with what EFF previously published in our Dark Caracal and Operation Manul reports.
We were surprised to see the Checkpoint report when it was released on Thanksgiving as we had been tracking Dark Caracal again as well. Building on Checkpoint’s work, we are publishing additional indicators of compromise we have observed that may be of interest to other security professionals and malware researchers.
Additional Dark Caracal Indicators of Compromise
Unpacked bandook sample:
User-Agent: Mozilla/4.0 (compatible; ALI)
Command and Control URLs:
Command and Control Domains: