Recently, Check Point researchers disclosed that the Black Caracal threat group is very much alive and kicking. Read on to know more…
Researchers from Check Point uncovered a new series of attack against multiple industries and revealed that the Dark Caracal cyberespionage group is back. The Dark Caracal APT group is believed to be linked to a Lebanese intelligence agency. In its latest attack — the Dark Caracal APT group has carried out a series of attacks against multiple sectors using a new variant of a 13-year-old Bandook backdoor Trojan.
A variety of sectors and locations have been targeted in the latest campaigns to expedite offensive cyberespionage operations.
Bandook Attacks
The Bandook was spotted last time in 2015 and 2017 campaigns, dubbed “Operation Manul” and “Dark Caracal“, respectively attributed to Kazakh and the Lebanese governments. This circumstance suggests that the implant was developed by a third-party actor and used by multiple APT groups.
During the last campaign, the hackers targeted multiple sectors including Government, financial, energy, food industry, healthcare, education, IT, and legal institutions. The APT group targeted entities in Singapore, Cyprus, Chile, Italy, the USA, Turkey, Switzerland, Indonesia, and Germany.
“During this past year, dozens of digitally signed variants of this once commodity malware started to reappear in the threat landscape, reigniting interest in this old malware family.” reads the report published by Check Point.
“In the latest wave of attacks, we once again identified an unusually large variety of targeted sectors and locations. This further reinforces a previous hypothesis that the malware is not developed in-house and used by a single entity, but is part of an offensive infrastructure sold by a third party to governments and threat actors worldwide, to facilitate offensive cyber operations.”
Working Mechanism & Variants
The threat actors use a Microsoft Word document as a lure. The document contains an embedded encrypted malicious script, along with an external template with macros. The second stage drops a PowerShell loader that decodes and implements a base64 encoded PS. The Bandook trojan comes in the ultimate stage and is written in both C++ and Delphi.
Experts noticed that the new release of Bandook is a slimmed-down version of the original variant malware and supports only 11 commands out of the 120 commands. The support for a subset of commands suggests the threat actors attempt to remain under the radar.
Some of the Bandook variants
• An unsigned entire version with 120 commands,
• A signed entire version with 120 commands, and
• A signed toned down version with 11 commands.
A Brief Conclusion
Although the Dark Caracal group is not as sophisticated as compared to other APT actors, there have been significant improvements in its attack tactics over the years.