Lookout: Dark Caracal Points To APT Actors Moving To Mobile Targets

CANCUN, Mexico – On the heels of global cyber espionage campaign Dark Caracal, security firm Lookout is sounding the alarm on how it is indicative of advanced persistent threats moving from desktop platforms to mobile platforms.

Dark Caracal, which was first discovered by researchers in January, is the first known global campaign that steals data from Android devices. In January, Lookout and the Electronic Frontier Foundation released a report that outlined Dark Caracal, which stole hundreds of gigabytes of data from primarily Android devices with thousands of victims in 20 countries.

Types of data stolen include documents, call records, audio recordings, secure messaging client content, contact information, text messages, photos, and account data, said Michael Flossman, security analyst at Lookout, speaking with EFF’s Cooper Quintin during Kaspersky Lab’s Security Analyst Summit today.

“This is the first threat by a mobile APT group that had a considerable global reach,” Flossman told Threatpost ahead of SAS. “Desktop security has evolved and matured quite a lot in the last decade. Those same security postures are not in the same place for mobile devices.”

Lookout said in July 2017, they discovered a command-and-control server that was connected to Dark Caracal, containing up to 81 GB of compromised data.

The campaign, targeting both desktop and mobile devices, compromised by fake versions of secure messaging clients, has been operating in a series of multi-platform campaigns since January 2012.

About 60 percent of the information came from Android devices, with the remaining from Windows machines, said Flossman. The actor started on desktop machines, but then transitioned to mobile and made it their primary data collection vehicle.

The Dark Caracal attack uses three types of mobile phishing messages targeting victims to a watering hole.

It then launches a malware, dubbed Pallas, through trojanized versions of popular messaging applications. Attackers then accessed personal data using the permissions users granted when they installed applications.

“One interesting thing about this attack that we haven’t seen a lot was that the majority of applications were fully functional,” said Flossman. “The apps were still intact, so a victim would be less inclined to notice if something was amiss.”

Flossman said one reason Dark Caracal was hard to track is the diversity of seemingly unrelated espionage campaigns originating from the same domain names. Over the years, the campaigns’ work was repeatedly misattributed to other cybercrime groups.

“The trojanized apps, including Signal and WhatsApp, function like the legitimate apps and send and receive messages normally,” said EFF’s report. “However, the fake apps also allow the attackers to take photos, retrieve location information, capture audio, and more.”

In its January report, EFF and Lookout traced Dark Caracal to a building belonging to the Lebanese General Security Directorate in Beirut.

Flossman said that mobile platforms are appealing to APT actors because they have less security measures, are simpler, and are cheaper for attackers to launch a campaign for.

“In the case of Dark Caracal, this actor didn’t need to be overly sophisticated to launch the attack. The tooling they created would have cost a couple thousand dollars, and it wouldn’t be challenging to put together for any actor with prior capability in the desktop space. It makes a lot of sense for them to shift to a mobile focus.”

Flossman said that mobile device users can protect themselves by making sure they have visibility and actually have a way of getting insights into what’s going on on their endpoints.