Security

Dark Caracal hacking group has stolen hundreds of gigabytes of data from 21 countries

A hacking group that has been traced to the Lebanese government has been actively attacking desktops and Android devices since 2012.

Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • Dark Caracal, a hacking group linked to the Lebanese government, has been found to be engaging in cyber espionage and data theft against more than 21 countries, leading to hundreds of gigabytes in stolen personal data.
  • Dark Caracal's attacks use typical social engineering methods to infect devices, making standard defense methods successful at counteracting it.

A newly discovered hacking group, dubbed Dark Caracal, has been linked to the Lebanese government in a globally scaled campaign of cyber espionage and malware attacks.

Researchers from cybersecurity firm Lookout and the Electronic Frontier Foundation have released a report detailing how the two groups traced Dark Caracal back to the Lebanese General Security Directorate and have found evidence of attacks on government agencies, militaries, defense contractors, utilities, enterprises, and financial institutions.

The attackers also gained access to devices belonging to military personnel, medical professionals, activists, journalists, lawyers, and members of educational institutions.

Striking in more than 21 countries, Dark Caracal is "one of the first publicly documented mobile APT actors known to execute espionage on a global scale," according to the Lookout/EFF report.

The picture painted of Dark Caracal's reach and effectiveness is bleak—it's hard to feel safe when state-sponsored actors like it have been so effective.

Prolific malware hosting, standard infection techniques

The Lookout/EFF report was able to determine that Dark Caracal is running at least six separate simultaneous campaigns against desktop computers and Android devices, which the report says have been widely successful at gaining deep insight into victims' lives.

screen-shot-2018-01-23-at-2-10-30-pm.png

Items being stolen by Dark Caracal Trojanized apps

Image: Lookout/EFF

Both desktop and Android malware have been distributed through phishing and spear-phishing campaigns, spoofed login portals, watering holes, social engineering, and even fake social media posts that referred to infected sites.

The actual infection method on both Android devices and desktops is familiar, largely relying on Trojanized applications that users are tricked into installing.

Android devices, which are the overwhelming majority of Dark Caracal's targets, have primarily been infected by a Dark Caracal-produced malware called Pallas that is hidden in Trojanized versions of legitimate apps. Pallas has been found in WhatsApp, Signal, Primo, Threema, Plus Messenger, Psiphon VPN, Orbot TOR proxy, fake Flash Player updates, and fake Google Play Push apps.

Pallas can download additional malware, patch itself, and perform other tasks that make it fully capable of stealing personal data, but it isn't doing anything tricky to get itself installed.

"Neither the desktop nor the mobile malware tooling use zero day vulnerabilities. Pallas samples primarily rely on the permissions granted at installation in order to access sensitive user data," the Lookout/EFF report said.

Protecting yourself from Dark Caracal

It isn't necessary to know the full extent of Dark Caracal's reach to come to the obvious conclusion: It's a dangerous hacking group that may be one of the most widespread ever discovered.

SEE: Mobile device computing policy (Tech Pro Research)

It is possible to keep your device, and those you manage, safe from its malware campaigns by using some of the same basic rules that always apply:

  • Keep devices updated and be sure to install patches as soon as they are available.
  • Be sure to have a trusted antivirus app installed on all devices.
  • Only install apps from verified sources. On Android that means the Google Play Store, and on desktop devices like Windows and Macs that means the official app stores.
  • Never allow BYOD devices onto corporate networks unless they have been scanned and found clean.
  • Personal devices used for work should be controlled under a mobile device management policy.

Google told Lookout that none of the apps associated with Dark Caracal were ever on the Google Play Store, and that it is in the process of removing all Dark Caracal apps from Android devices.

The full extent of what was discovered about Dark Caracal by Lookout and EFF can be found in their complete report, linked at the beginning of this article.

Also see

About Brandon Vigliarolo

Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.

Editor's Picks

Free Newsletters, In your Inbox