Home / Industry

Dark Caracal: Undisclosed Targeted Attack IoCs Can Pose Risks

Targeted attacks are known as some of the most destructive cyber attacks in that they zoom in on organizations that either provide critical services or have massive user bases. A report revealed that at the end of 2019, 67% of the cyber attacks recorded were targeted. Another report revealed that these attacks trailed their sights most on companies in the entertainment/media, financial, and government sectors.

We sought to look at one targeted attack dubbed “Dark Caracal,” in particular, to see if seemingly old attacks can still pose risks due to yet undisclosed indicators of compromise (IoCs) using a variety of threat intelligence gathering tools.

What Is Dark Caracal?

Dark Caracal is a threat group that has been cited for ties to attacks targeting the Lebanese General Directorate of General Security (GDGS). It has been operating since at least 2012. It has also been identified for its use of malicious tools such as:

  • Bandook: A backdoor that infects systems through a document that when opened leads to the download and execution of the malware.
  • CrossRAT: A cross-platform spyware that attackers can control via a command-and-control (C&C) server that it automatically connects to when executed.
  • FinSpy: A spyware suite that is advertised as a tool for tactical/strategic intelligence gathering and deployment method and exploitation investigation for law enforcement agencies’ use.
  • Pallas: A mobile device surveillanceware designed by the members of Dark Caracal themselves.

While it has been some time since Dark Caracal figured in the news, a report from Amnesty International in September of this year brought FinSpy back into the spotlight. One possible reason for its seeming comeback could be that not all of the Dark Caracal IoCs have yet been publicly reported and so could still be wreaking havoc.

Dark Caracal-Related Undisclosed IoCs?

We obtained a list of the publicly available Dark Caracal-related IoCs from an in-depth Lookout report published in January 2018. From it, we obtained a list of:

  • 6 email addresses
  • 13 IP addresses
  • 36 domain names

We used two threat intelligence gathering tools to identify other possible IoCs that aren’t included in Lookout’s list, namely:

  • Reverse WHOIS Search: To get a list of additional domain names that used the identified email addresses as “registrant email address” in their WHOIS records.
  • DNS Lookup: To obtain additional IP addresses connected to the publicly disclosed domain names.
IP Addresses

Using the 36 domain names from the Lookout report as search terms for DNS lookups, we obtained 12 IP addresses, none of which have been publicly disclosed as Dark Caracal IoCs. These include:

Table 1: Non-Publicly Disclosed Dark Caracal-Related IP Addresses
IP AddressMalicious? (According to VirusTotal)
134[.]102[.]136[.]180Yes
2159[.]89[.]221[.]0No
3173[.]239[.]8[.]164Yes
4173[.]239[.]5[.]6Yes
5213[.]247[.]47[.]190Yes
652[.]58[.]78[.]16Yes
7209[.]141[.]38[.]71Yes
8192[.]161[.]187[.]200Yes
9204[.]11[.]56[.]48Yes
1045[.]32[.]72[.]190No
11185[.]196[.]8[.]122Yes
1291[.]195[.]241[.]137No

As shown, nine of the additional IP addresses are at the very least worth looking into although it may be safer for organizations to include them in their blacklists.

Using IP Geolocation Bulk GUI, we found that the majority of IP addresses in the combined IoC (publicly disclosed and not yet reported) list originated from the U.S.

Domain Names

Using the six email addresses from the Lookout report as search terms for advanced reverse WHOIS searches, we obtained a list of 11 domain names, five of which are identified in the said report. The six undisclosed domain names include:

Table 2: Non-Publicly Disclosed Dark Caracal-Related Domain Names
Domain NameMalicious? (According to VirusTotal)
1nancyrazzouk[.]comYes
2twiterservices[.]orgYes
3gmailservices[.]orgYes
4facebookservices[.]orgYes
5analytics-lb[.]comNo
6arabpublishers[.]netNo

As shown, four of the additional domain names are at the very least worth digging deeper into although they may also warrant inclusion in company blacklists.

Using Bulk WHOIS Lookup, we found that most of the domains in the combined list (totaling 39 domain names) were registered in the U.S., consistent with our IP geolocation findings. But contrary to IP geolocation information, all other registrant countries did not match the IP geolocation information.

We also found that a vast majority of the domain registrants did not disclose their WHOIS information either through redaction or privacy protection. Only 12 had publicly identifiable registrant details.


As this short study showed, not all possible IoCs for a cyber attack may be found in public records or incident reports. For organizations that wish to ensure utmost protection, domain research and monitoring using a variety of WHOIS, DNS, and IP intelligence tools may be necessary, especially since most undisclosed IoCs can be confirmed malware sources.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (whoisxmlapi) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byAppdetex

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign

Domain Management

Sponsored byMarkMonitor

IPv4 Markets

Sponsored byIPXO