Targeted attacks are known as some of the most destructive cyber attacks in that they zoom in on organizations that either provide critical services or have massive user bases. A report revealed that at the end of 2019, 67% of the cyber attacks recorded were targeted. Another report revealed that these attacks trailed their sights most on companies in the entertainment/media, financial, and government sectors.

We sought to look at one targeted attack dubbed “Dark Caracal,” in particular, to see if seemingly old attacks can still pose risks due to yet undisclosed indicators of compromise (IoCs) using a variety of threat intelligence gathering tools.

What Is Dark Caracal?

Dark Caracal is a threat group that has been cited for ties to attacks targeting the Lebanese General Directorate of General Security (GDGS). It has been operating since at least 2012. It has also been identified for its use of malicious tools such as:

• Bandook: A backdoor that infects systems through a document that when opened leads to the download and execution of the malware.
• CrossRAT: A cross-platform spyware that attackers can control via a command-and-control (C&C) server that it automatically connects to when executed.
• FinSpy: A spyware suite that is advertised as a tool for tactical/strategic intelligence gathering and deployment method and exploitation investigation for law enforcement agencies’ use.
• Pallas: A mobile device surveillanceware designed by the members of Dark Caracal themselves.

While it has been some time since Dark Caracal figured in the news, a report from Amnesty International in September of this year brought FinSpy back into the spotlight. One possible reason for its seeming comeback could be that not all of the Dark Caracal IoCs have yet been publicly reported and so could still be wreaking havoc.

Dark Caracal-Related Undisclosed IoCs?

We obtained a list of the publicly available Dark Caracal-related IoCs from an in-depth Lookout report published in January 2018. From it, we obtained a list of:

• 6 email addresses
• 13 IP addresses
• 36 domain names

We used two threat intelligence gathering tools to identify other possible IoCs that aren’t included in Lookout’s list, namely:

• Reverse WHOIS Search: To get a list of additional domain names that used the identified email addresses as “registrant email address” in their WHOIS records.
• DNS Lookup: To obtain additional IP addresses connected to the publicly disclosed domain names.

IP Addresses

Using the 36 domain names from the Lookout report as search terms for DNS lookups, we obtained 12 IP addresses, none of which have been publicly disclosed as Dark Caracal IoCs. These include:

As shown, nine of the additional IP addresses are at the very least worth looking into although it may be safer for organizations to include them in their blacklists.

Using IP Geolocation Bulk GUI, we found that the majority of IP addresses in the combined IoC (publicly disclosed and not yet reported) list originated from the U.S.

Domain Names

Using the six email addresses from the Lookout report as search terms for advanced reverse WHOIS searches, we obtained a list of 11 domain names, five of which are identified in the said report. The six undisclosed domain names include:

As shown, four of the additional domain names are at the very least worth digging deeper into although they may also warrant inclusion in company blacklists.

Using Bulk WHOIS Lookup, we found that most of the domains in the combined list (totaling 39 domain names) were registered in the U.S., consistent with our IP geolocation findings. But contrary to IP geolocation information, all other registrant countries did not match the IP geolocation information.

We also found that a vast majority of the domain registrants did not disclose their WHOIS information either through redaction or privacy protection. Only 12 had publicly identifiable registrant details.

As this short study showed, not all possible IoCs for a cyber attack may be found in public records or incident reports. For organizations that wish to ensure utmost protection, domain research and monitoring using a variety of WHOIS, DNS, and IP intelligence tools may be necessary, especially since most undisclosed IoCs can be confirmed malware sources.