In 2018, EFF along with researchers from Lookout Security published a report describing the Advanced Persistent Threat (APT) we dubbed "Dark Caracal." Now we have uncovered a new Dark Caracal campaign operating since March of 2022, with hundreds of infections across more than a dozen countries. In this report we will present evidence that the cyber mercenary group Dark Caracal is still active and continues to be focused on Latin America, as was reported last year. We have discovered that Dark Caracal, using the Bandook spyware, is currently infecting over 700 computers in Central and South America, primarily in The Dominican Republic and Venezuela.
In our original 2018 report, we described a campaign targeting thousands of Lebanese citizens with several different malware families, including a brand new mobile remote access trojan we named Pallas and a Windows remote access trojan called Bandook. Through our research we were able to shut down the malware campaign and notify a number of the victims. Our Operation Manul report established that the actors behind the campaign were working with the governments of Lebanon and Kazakhstan. The variety of targets and the apparent involvement of multiple governments throughout the campaigns lead us to believe that Dark Caracal is a cyber-mercenary or hack-for-hire group.
Since our original Dark Caracal report, there have been multiple reports on their continued activities. Checkpoint Research wrote about a campaign in 2020 and we have continued to follow the activities of Dark Caracal with our most recent report, also in 2020. Most recently, ESET wrote about Dark Caracal activities in Latin America in their report Bandidos at Large.
Dark Caracal is far from the only malware group currently targeting Latin America. The Quantum malware group targeted the Dominican Republic’s Ministry of Agriculture in 2022. The Dominican Republic is also a reported customer of NSO group.
Given Dark Caracal’s history of working with national governments — such as Kazakhstan and Lebanon — on politically motivated campaigns, it is possible that the new campaign described below is also at the behest of a government actor, but without more insight into who the infected computers belong to, we cannot draw any conclusions as to the motivation of these attacks.
Regardless, we call on lawmakers and regulators in South and Central America to be vigilant against Dark Caracal's spyware since it, and other spyware like it, has been used to commit gross human rights violations. Time and again, nation-states and cyber-mercenaries have used spyware to target activists, human rights defenders, and journalists whose actual work is to uncover governments' wrongdoing, speak truth to power and hold governments accountable. Such targeting has resulted in a growing list of extrajudicial killings of journalists and human rights defenders.
Governments should consider calling for a moratorium on the governmental use of these malware technologies, support computer security research, and human rights for all, including transparency, accountability and redress for victims.
Governments must recognize that government hostility to device security is dangerous for their people. If one government can use malware against civilians under a rival government there is nothing stopping the rival government from doing the same. Governments should be focusing on improving computer security and protecting their citizens rights to freedom of expression.
We hope this report will add to a body of work exposing cyber mercenaries and convince policymakers that cyber mercenaries and nation-state hacking are truly a global threat to human rights and civil society.
A new campaign appears
Recently we discovered a new version of the Bandook malware, which has been updated to have 148 unique commands it can send the infected computer, far more than the 120 available in previous samples. This sample and related samples seem to be part of a campaign that began in March 2022, utilizing a new command and control server (a remote computer which issues orders to the infected computers and receives data stolen from the infected computers) at the domain
In the “Bandidos at Large” report, ESET researchers detailed a mechanism within Bandook for downloading Windows DLLs (software libraries for Windows) from a domain secondary to the main command and control server to gain additional functionality. On analyzing the samples we obtained, we found that in this case the mechanism for downloading additional DLLs pointed to the domain
unclesow[.]com. However, upon investigating, we realized that the unclesow.com domain had not yet been registered. We figured that this domain could provide information on Dark Caracal’s activities, so we registered it and set up a sinkhole (a server which hosts a domain that previously belonged to a malware campaign to protect infected computers and collect information.)
Unclesow[.]com is currently hosted by EFF. Since registering this domain, we have been collecting aggregate information on the victims of this malware campaign. Based on daily traffic logs, there appear to be between 600 and 800 infected machines at any time, mostly across Central and South America. Since every Bandook infection connects to the secondary domain multiple times per day, we are confident that we are seeing all infections for this current campaign. Because of our concern for the privacy of the victims of this malware campaign we have configured the server to delete logs after four weeks and collect the bare minimum of necessary information.
The same day that we set up DNS entries for unclesow[.]com, several other domains that had been previously registered had their DNS suddenly pointed at the same server that hosted unclesow. There were 6 domains pointed automatically at our server:
Based on the timing and apparent phishing-related nature of these domains, we suspect this was an automatic process, possibly set up by the same people running the Dark Caracal campaign. A few days later, several of the domains were pointed at a new IP address not under our control. However, three of the domains (seconsave[.]com scanlostt[.]com and sensity[.]biz) still point to our sinkhole server. We were able to identify several other related domains which were hosted on other servers at the same time as these domains (when they were not pointing to our sinkhole.)
The connection of these domains to the current Dark Caracal campaign is unclear. They may be for a different campaign or another purpose The tactics and tools and procedures used don’t match up, with the above domains being hosted on DigitalOcean registered with NameCheap and not mentioned in the Bandook samples, whereas the domains mentioned in the Bandook samples are hosted with the bulletproof hosting provider OvO [ovo.sc], and registered with a company called 1984 [1984.is]. Additionally, we observed no interesting traffic or traffic indicative of a Bandook infection to any of the domains pointed at our sinkhole other than unclesow[.]com. The only connection to this campaign for these domains is the fact that they were pointed at our sinkhole automatically when we set it up. For now it remains a mystery.
Since we registered the unclesow[.]com domain, the attackers have changed the command and control domain twice, first to cudenpower.co and then to bomes[.]ru. However, in both cases and still to this day, they have not changed the secondary infection domain from unclesow[.]com, thus our sinkhole continues to function even for new samples of malware. It is unclear whether the malware operators realize that their secondary domain is controlled by us at this time.
Bandook Continues Evolving
The versions of Bandook this campaign uses appear to be newer than the ones used in the last campaigns reported on by ESET. The first stage of the malware has switched from using GOST for encryption of the payload to using DES for encryption of its second stage payload. The key for decryption is derived from a passphrase by hashing it with the RIPEMD-128 algorithm.
Additionally the malware contains 148 possible commands it can send the infected computer from the command and control server instead of the previous 132 in the samples analyzed by ESET. The commands include capabilities such as: turning on the webcam, adding or removing files from the computer, taking control of the mouse, recording the screen, starting a remote desktop session, and downloading other libraries for additional functionality (see appendix for more.)
These changes indicate a deep nexus to the Dark Caracal group as the source code for Bandook is not public and the malware is not for sale as far as we know.
At the time of this report, unpacked versions of malware were detected by 41 out of 70 antivirus products in VirusTotal whereas a representative sample of the packed malware was detected by 35 out of 71 antivirus products.
The command and control servers are more locked-down than we have seen in the past, with the only open services being SSH and the command and control service listening on port 2222. There is no web administration interface as has been seen in the past.
From connections to our sinkhole we have observed victims in several Central and South American countries. Approximately 75% of infected computers are located in The Dominican Republic and 20% in Venezuela.
Because the infected computers connect to the sinkhole server and make an http GET request for the path
/flras/get.php?huln=nevi` approximately every three hours we can reliably estimate the number of infected machines. At its peak we suspect more than 800 computers were infected in this malware campaign. However, this number may be lower if some machines are changing their IP addresses in the middle of the day due to moving to a new network or a dynamic IP address changing. Since all connections initiated by Bandook use a standard user agent (see Appendix) we do not have a way to keep track of individual machines when they change IP addresses.
Because Bandook malware samples have only ever been observed for Windows, we assume that the infected machines are all Windows computers. According to Shodan data, many of the IP addresses belong to commodity routers on consumer ISP networks. It is our assumption that those routers have dynamic IP addresses that frequently change, thus increasing the number of unique IPs connecting to our sinkhole.
Infections drop off on Saturdays and especially Sundays, leading us to believe that most infected machines are located at places of business. This hypothesis is also supported by the number of connections from infected machines dropping on major public holidays such as Christmas Eve, Christmas, and New Year’s Day.
Though we haven’t been able to contact any of the victims of this current campaign, their location opens the possibility that it is a continuation of the campaign outlined in the Bandidos at Large Report. Because of Dark Caracal’s history of working on behalf of governments, we can’t discount that possibility here either, though the client’s identity remains a mystery for now.
Thanks to ESET, Martjin Grooten, Jeremy Kennely, Bill Marczak, and VirusTotal, for assistance with this research.
Appendix - Indicators of Compromise
Command and Control domains:
unclesow[.]com - SINKHOLED
Possibly Related Domains
Bandook malware indicators
User agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/2010010146b Firefox/55.0
Path connected to on sinkhole: /flras/get.php?huln=nevi
Selection of Bandook Commands
Unpacked bandook samples
Packed Bandook Samples