Someone is touting a mobile, PC spyware platform called Dark Caracal to governments

Hundreds of gigabytes already slurped, say EFF and Lookout


An investigation by the Electronic Frontier Foundation and security biz Lookout has uncovered Dark Caracal, a surveillance-toolkit-for-hire that has been used to suck huge amounts of data from Android mobiles and Windows desktop PCs around the world.

Dark Caracal [PDF] appears to be controlled from the Lebanon General Directorate of General Security in Beirut – an intelligence agency – and has slurped hundreds of gigabytes of information from devices. It shares its backend infrastructure with another state-sponsored surveillance campaign, Operation Manul, which the EFF claims was operated by the Kazakhstan government last year.

Crucially, it appears someone is renting out the Dark Caracal spyware platform to nation-state snoops.

"This is definitely one group using the same infrastructure," Eva Galperin, the EFF's director of cybersecurity, told The Register on Wednesday. "We think there's a third party selling this to governments."

Dark Caracal has, we're told, been used to siphon off information from thousands of targets in over 21 countries – from private documents, call records, audio recordings, and text messages to contact information, and photos from military, government, and business targets, as well as activists and journalists.

map

Dark Caracal has an impressive geographical reach ... Each dot marks the general location of an infected victim

After the EFF published its dossier on the Operation Manul cyber-snooping program in 2016, Lookout went looking through its database of collected malware samples to hunt down the spyware responsible. Lookout found the code nasty, a custom-made piece of Android evilware dubbed Pallas, which appears to be a component of the Dark Caracal toolkit.

In other words, Pallas is used to hijack targets' smartphones, and is distributed and controlled via the Dark Caracal platform rented out to governments.

The primary way to pick up Pallas on your gadget is by installing infected applications – such as WhatsApp and Signal ripoffs – from non-official software souks. Pallas doesn't exploit zero-days to take over a device, but instead relies on users being tricked into installing booby-trapped apps, and granting the malicious software a large variety of permissions. Once in place, it can thus surreptitiously record audio from the phone's microphone, reveal the gizmo's location to snoops, and leak all the data the handset contains to its masters.

In addition, the Dark Caracal platform offers another surveillance tool: a previously unseen sample of FinFisher, the spyware package sold to governments to surveil citizens. It's not known if this was legitimately purchased, or a demo version that was adapted.

On the desktop side, Dark Caracal provides a Delphi-coded Bandook trojan, previously identified in Operation Manul, that commandeers Windows systems. Essentially, marks are tricked into installing and running infected programs signed with a legitimate security certificate. Once up and running, the software nasty downloads more malware from command-and-control servers. The code pest can also be stashed in Microsoft Word documents, and executed using macros – so beware, Office admins.

The EFF and Lookout are trying to find out who exactly is running and using the Dark Caracal network. An update is expected in the summer, once attribution can be made with some certainty. ®

Similar topics


Other stories you might like

  • NASA delays SLS rollback due to concerns over rocky path to launchpad
    The road to the Moon is paved with... river rock?

    NASA's Moon rocket is to trundle back into its shed today after a delay caused by concerns over the crawlerway.

    The massive transporter used to move the Space Launch System between Vehicle Assembly Building (VAB) and launchpad requires a level pathway and teams have been working on the inclined pathway leading to the launchpad where the rocket currently resides to ensure there is an even distribution of rocks to support the mobile launcher and rocket.

    The latest wet dress rehearsal was completed on June 20 after engineers "masked" data from sensors that would have called a halt to proceedings. Once back in the VAB, engineers plan to replace a seal on the quick disconnect of the tail service mast umbilical. The stack will then roll back to the launchpad for what NASA fervently hopes is the last time before a long hoped-for launch in late August.

    Continue reading
  • Datacenter operator Switch hit with claims it misled investors over $11b buyout
    Complainants say financial projections were not disclosed, rendering SEC filing false and misleading

    Datacenter operator Switch Inc is being sued by investors over claims that it did not disclose key financial details when pursuing an $11 billion deal with DigitalBridge Group and IFM Investors that will see the company taken into private ownership if it goes ahead.

    Two separate cases have been filed this week by shareholders Marc Waterman and Denise Redfield in the Federal Court in New York. The filings contain very similar claims that a proxy statement filed by Switch with the US Securities and Exchange Commission (SEC) in regard to the proposed deal omitted material information regarding Switch's financial projections.

    Both Redfield and Waterman have asked the Federal Court to put the deal on hold, or to undo it in the event that Switch manages in the meantime to close the transaction, and to order Switch to issue a new proxy statement that sets out all the relevant material information.

    Continue reading
  • Google to pay $90m to settle lawsuit over anti-competitive behavior on the Play Store
    US developers that qualify could receive more than $200,000

    Google is to pay $90 million to settle a class-action lawsuit with US developers over alleged anti-competitive behavior regarding the Google Play Store.

    Eligible for a share in the $90 million fund are US developers who earned two million dollars or less in annual revenue through Google Play between 2016 and 2021. "A vast majority of US developers who earned revenue through Google Play will be eligible to receive money from this fund," said Google.

    Law firm Hagens Berman announced the settlement this morning, having been one of the first to file a class case. The legal firm was one of four that secured a $100 million settlement from Apple in 2021 for US iOS developers.

    Continue reading
  • Devops tool Jenkins now requires Java 11: This might sting a bit
    Final shift set for version 2.357 of developer automation platform

    It has taken a while, but the Jenkins project confirmed this week that Java 11 will be required from this week's Jenkins 2.357 and for the upcoming September LTS release.

    Jenkins, originally authored by Kohsuke Kawaguchi, recently passed its 10th anniversary. Originally known as Hudson, before the Oracle / Sun deal resulted in a fork, the platform is a veteran of the continuous integration and continuous delivery world. It is also written in Java.

    It's going to be a bit of a wrench. Java 11 itself was released in 2018 as a long-term support version, and the Jenkins LTS core has been Java 11-capable for a while now. The June LTS also supports Java 17 (the latest LTS of Java SE.)

    Continue reading

Biting the hand that feeds IT © 1998–2022