Researchers have recently unveiled that the Black Caracal threat group is very much alive and active.
Dark Caracal, which was first discovered by researchers in January, is the first known global campaign that steals data from Android devices. In January, researchers released a report that outlined Dark Caracal, which stole hundreds of gigabytes of data from primarily Android devices with thousands of victims in 20 countries.
Types of data stolen include documents, call records, audio recordings, secure messaging client content, contact information, text messages, photos, and account data.
It is believed that the Dark Caracal APT group is a Lebanese intelligence agency. In its latest attacks, it was found leveraging a new strain of the 13-year-old Bandook Trojan. Their latest campaigns expedite offensive cyber-espionage operations targeting a variety of sectors and locations.
- A Microsoft Word document is being used as a lure by the threat actors. Along with an external template with macros, the document contains an embedded encrypted malicious script.
- a PowerShell loader that decodes and implements a base64 encoded PS is dropped in the second stage
- When it’s written in both C++ and Delphi the Bandook trojan comes in the ultimate stage.
Variants of the Trojan
- An unsigned entire version with 120 commands,
- A signed entire version with 120 commands, and
- A signed toned down version with 11 commands.
As considered earlier, the Dark Caracal group is not as sophisticated as compared to the other APT actors. However, there has been a significant Improvement in its attack tactics in recent times.
To read more, please check eScan Blog
