Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Dark Caracal

Dark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. (Citation: Lookout Dark Caracal Jan 2018)
ID: G0070
Associated Groups: 
Version: 1.4
Created: 17 Oct 2018
Last Modified: 11 Apr 2024

Associated Group Descriptions

Name Description

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Dark Caracal's version of Bandook communicates with their server over a TCP port using HTTP payloads Base64 encoded and suffixed with the string “&&&”.(Citation: Lookout Dark Caracal Jan 2018)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Dark Caracal's version of Bandook adds a registry key to HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run for persistence.(Citation: Lookout Dark Caracal Jan 2018)

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Dark Caracal has used macros in Word documents that would download a second stage if executed.(Citation: Lookout Dark Caracal Jan 2018)

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Dark Caracal has used UPX to pack Bandook.(Citation: Lookout Dark Caracal Jan 2018)

.013 Obfuscated Files or Information: Encrypted/Encoded File

Dark Caracal has obfuscated strings in Bandook by base64 encoding, and then encrypting them.(Citation: Lookout Dark Caracal Jan 2018)

Enterprise T1566 .003 Phishing: Spearphishing via Service

Dark Caracal spearphished victims via Facebook and Whatsapp.(Citation: Lookout Dark Caracal Jan 2018)

Enterprise T1218 .001 System Binary Proxy Execution: Compiled HTML File

Dark Caracal leveraged a compiled HTML file that contained a command to download and run an executable.(Citation: Lookout Dark Caracal Jan 2018)

Enterprise T1204 .002 User Execution: Malicious File

Dark Caracal makes their malware look like Flash Player, Office, or PDF documents in order to entice a user to click on it.(Citation: Lookout Dark Caracal Jan 2018)

Software

ID Name References Techniques
S0234 Bandook (Citation: CheckPoint Bandook Nov 2020) (Citation: EFF Manul Aug 2016) (Citation: Lookout Dark Caracal Jan 2018) Audio Capture, Exfiltration Over C2 Channel, Windows Command Shell, Keylogging, Process Hollowing, Ingress Tool Transfer, Peripheral Device Discovery, Steganography, File and Directory Discovery, Non-Application Layer Protocol, Spearphishing Attachment, Command and Scripting Interpreter, Screen Capture, System Network Configuration Discovery, PowerShell, System Information Discovery, Malicious File, Native API, Visual Basic, Video Capture, Python, File Deletion, Symmetric Cryptography, Deobfuscate/Decode Files or Information, Data from Local System, Code Signing
S0182 FinFisher (Citation: FinFisher Citation) (Citation: FinSpy) (Citation: FireEye FinSpy Sept 2017) (Citation: Lookout Dark Caracal Jan 2018) (Citation: Microsoft FinFisher March 2018) (Citation: Microsoft SIR Vol 21) (Citation: Securelist BlackOasis Oct 2017) Token Impersonation/Theft, Screen Capture, Registry Run Keys / Startup Folder, System Checks, DLL Search Order Hijacking, Credential API Hooking, Software Packing, Dynamic-link Library Injection, Bypass User Account Control, Clear Windows Event Logs, File and Directory Discovery, Bootkit, Query Registry, Windows Service, Binary Padding, DLL Side-Loading, Match Legitimate Name or Location, Deobfuscate/Decode Files or Information, Process Discovery, Security Software Discovery, System Information Discovery, Obfuscated Files or Information, KernelCallbackTable
S0235 CrossRAT (Citation: Lookout Dark Caracal Jan 2018) Screen Capture, Launch Agent, File and Directory Discovery, Registry Run Keys / Startup Folder, XDG Autostart Entries

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.