A global mobile espionage campaign collecting a trove of sensitive personal information via victims since at least 2012 has accidentally revealed itself—thanks to an exposed server on the open internet.
the idea’s one of the first known examples of a successful large-scale hacking operation of mobile phones rather than computers.
The advanced persistent threat (APT) group, dubbed Dark Caracal, has claimed to have stolen hundreds of gigabytes of data, including personally identifiable information in addition to intellectual property, via thousands of victims in more than 21 different countries, according to a completely new report via the Electronic Frontier Foundation (EFF) in addition to security firm Lookout.
After mistakenly leaking some of its files to the internet, the shadowy hacking group can be traced back to a building owned by the Lebanese General Directorate of General Security (GDGS), one of the country’s intelligence agencies, in Beirut.
“Based on the available evidence, the idea’s likely of which the GDGS can be associated with or directly supporting the actors behind Dark Caracal,” the report reads.
According to the 51-page-long report [PDF], the APT group targeted “entities of which a nation-state might attack,” including governments, military personnel, utilities, financial institutions, manufacturing companies, defence contractors, medical practitioners, education professionals, academics, in addition to civilians via numerous additional fields.
Researchers also identified at least four different personas associated with Dark Caracal’s infrastructure — i.e. Nancy Razzouk, Hassan Ward, Hadi Mazeh, in addition to Rami Jabbour — with the help of email address op13@mail[.]com.
“The contact details for Nancy present in WHOIS information matched the public listing for a Beirut-based individual by of which name. When we looked at the phone number associated with Nancy inside the WHOIS information, we discovered the same number listed in exfiltrated content in addition to being used by an individual with the name Hassan Ward.”
“During July 2017, Dark Caracal’s internet service provider took the adobeair[.]net command in addition to control server offline. Within a matter of days, we observed the idea being re-registered to the email address op13@mail[.]com with the name Nancy Razzouk. This particular allowed us to identify several additional domains listed under the same WHOIS email address information, running similar server components. “
Multi-Platform Cyber Espionage Campaign
Dark Caracal has been conducting multi-platform cyber-espionage campaigns in addition to linked to 90 indicators of compromise (IOCs), including 11 Android malware IOCs, 26 desktop malware IOCs across Windows, Mac, in addition to Linux, in addition to 60 domain/IP based IOCs.
However, since at least 2012, the group has run more than ten hacking campaigns aimed mainly at Android users in at least 21 countries, including North America, Europe, the Middle East in addition to Asia.
The data stolen by Dark Caracal on its targets include documents, call records, text messages, audio recordings, secure messaging client content, browsing history, contact information, photos, in addition to location data—basically every information of which allows the APT group to identify the person in addition to have an intimate look at his/her life.
To get its job done, Dark Caracal did not rely on any “zero-day exploits,” nor did the idea has to get the malware to the Google Play Store. Instead, the group used basic social engineering via posts on Facebook groups in addition to WhatsApp messages, encouraging users to visit a website controlled by the hackers in addition to application permissions.
“One of the interesting things about This particular ongoing attack can be of which the idea doesn’t require a sophisticated or expensive exploit. Instead, all Dark Caracal needed was application permissions of which users themselves granted when they downloaded the apps, not realizing of which they contained malware,” said EFF Staff Technologist Cooper Quintin.
“This particular research shows the idea’s not difficult to create a strategy allowing people in addition to governments to spy on targets around the planet.“
Here’s How Dark Caracal Group Infects Android Users
Once tricked into landing on the malicious websites, the victims were served fake updates to secure messenger apps, including WhatsApp, Signal, Threema Telegram, in addition to Orbot (an open source Tor client for Android), which eventually downloaded the Dark Caracal malware, dubbed Pallas, on targets’ mobile devices.
Pallas can be a piece of surveillance malware of which’s capable of taking photographs, stealing data, spying on communications apps, recording video in addition to audio, acquiring location data, in addition to stealing text messages, including two-factor authentication codes, via victims’ devices.
“Pallas samples primarily rely on the permissions granted at the installation in order to access sensitive user data. However, there can be functionality of which allows an attacker to instruct an infected device to download in addition to install additional applications or updates.” report says.
“Theoretically, This particular means the idea’s possible for the operators behind Pallas to push specific exploit modules to compromised devices in order to gain complete access.”
Besides its own custom malware, Dark Caracal also used FinFisher—a highly secret surveillance tool of which can be often marketed to law enforcement in addition to government agencies—in addition to a newly discovered desktop spyware tool, dubbed CrossRAT, which can infect Windows, Linux, in addition to OS X operating systems.
“Citizen Lab previously flagged the General Directorate of General Security in a 2015 report as one of two Lebanese government organizations using the FinFisher spyware5.” report says.
According to the researchers, though Dark Caracal targeted macOS in addition to Windows devices in various campaigns, at least six distinct Android campaigns were found linked to one of its servers of which were left open for analysis, revealing 48GB was stolen via around 500 Android phones.
Overall, Dark Caracal successfully managed to steal more than 252,000 contacts, 485,000 text messages in addition to 150,000 call records via infected Android devices. Sensitive data such as personal photos, bank passwords in addition to PIN numbers were also stolen.
The best way to protect yourself via such Android-based malware attacks can be to always download applications via the official Google Play Store market rather than via any third-party website.