The Dark Caracal threat group is found active again. It’s believed to be a state-sponsored group, supporting Kazakhstan and Lebanon government interests in particular. Although they were inactive for a period of time, they re-emerged in November of 2019 with new, signed versions of the Bandook malware targeting multiple sectors. Now, a much broader list of target industries and countries has been identified. The Bandook malware used by the group is a commercially available, full-featured RAT that has been around since 2007.
This time, new samples of the Bandook malware are found with legitimate signing certificates for Windows (issued by the “Certum” certificate authority,) which would allow them to be run without a warning to the user on any Windows computer. Three new variants of Bandook are found, some expanded (120 commands), some slimmed down (11 commands), and all signed with Certum certificates. In previous campaigns, this actor has displayed impressively lax operational security, enabling researchers to download terabytes of data from their command and control servers. The latest campaign exhibits a somewhat higher level of opsec. Targets include Government, financial, energy, food industry, healthcare, education, IT and legal institutions in multiple countries including Singapore, Cyprus, Chile, Italy, USA, Turkey, Switzerland, Indonesia and Germany.
The Dark Caracal threat actors still seem to primarily use phishing and Office-based macros as their primary method of infection. Because of this, the best step one can take to protect against Dark Caracal is to disable Office macros on your personal devices or that of your entire organization. The final payload in this infection chain is a variant of Bandook. Bandook’s execution flow starts with a loader, written in Delphi, that uses the Process Hollowing technique to create a new instance of an Internet Explorer process and inject a malicious payload into it. The payload contacts the C&C server, sends basic information about the infected machine, and waits for additional commands from the server.