Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Dark Caracal

Dark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. (Citation: Lookout Dark Caracal Jan 2018)

ID: G0070

Associated Groups:

Version: 1.4

Created: 17 Oct 2018

Last Modified: 11 Apr 2024

Name	Description
Associated Group Descriptions

Domain	ID		Name	Use
Techniques Used
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	Dark Caracal's version of Bandook communicates with their server over a TCP port using HTTP payloads Base64 encoded and suffixed with the string “&&&”.(Citation: Lookout Dark Caracal Jan 2018)
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Dark Caracal's version of Bandook adds a registry key to `HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run` for persistence.(Citation: Lookout Dark Caracal Jan 2018)
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	Dark Caracal has used macros in Word documents that would download a second stage if executed.(Citation: Lookout Dark Caracal Jan 2018)
Enterprise	T1027	.002	Obfuscated Files or Information: Software Packing	Dark Caracal has used UPX to pack Bandook.(Citation: Lookout Dark Caracal Jan 2018)
		.013	Obfuscated Files or Information: Encrypted/Encoded File	Dark Caracal has obfuscated strings in Bandook by base64 encoding, and then encrypting them.(Citation: Lookout Dark Caracal Jan 2018)
Enterprise	T1566	.003	Phishing: Spearphishing via Service	Dark Caracal spearphished victims via Facebook and Whatsapp.(Citation: Lookout Dark Caracal Jan 2018)
Enterprise	T1218	.001	System Binary Proxy Execution: Compiled HTML File	Dark Caracal leveraged a compiled HTML file that contained a command to download and run an executable.(Citation: Lookout Dark Caracal Jan 2018)
Enterprise	T1204	.002	User Execution: Malicious File	Dark Caracal makes their malware look like Flash Player, Office, or PDF documents in order to entice a user to click on it.(Citation: Lookout Dark Caracal Jan 2018)

ID	Name	References	Techniques
Software
S0234	Bandook	(Citation: CheckPoint Bandook Nov 2020) (Citation: EFF Manul Aug 2016) (Citation: Lookout Dark Caracal Jan 2018)	Screen Capture, Keylogging, Audio Capture, Malicious File, Symmetric Cryptography, Spearphishing Attachment, Code Signing, Peripheral Device Discovery, System Information Discovery, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Video Capture, System Network Configuration Discovery, Command and Scripting Interpreter, File and Directory Discovery, Exfiltration Over C2 Channel, PowerShell, Process Hollowing, Non-Application Layer Protocol, Steganography, Python, Windows Command Shell, File Deletion, Visual Basic, Ingress Tool Transfer
S0182	FinFisher	(Citation: FinFisher Citation) (Citation: FinSpy) (Citation: FireEye FinSpy Sept 2017) (Citation: Lookout Dark Caracal Jan 2018) (Citation: Microsoft FinFisher March 2018) (Citation: Microsoft SIR Vol 21) (Citation: Securelist BlackOasis Oct 2017)	Screen Capture, Bypass User Account Control, Bootkit, Match Legitimate Resource Name or Location, Windows Service, System Checks, DLL, System Information Discovery, Deobfuscate/Decode Files or Information, Clear Windows Event Logs, Junk Code Insertion, File and Directory Discovery, Token Impersonation/Theft, Process Discovery, Registry Run Keys / Startup Folder, KernelCallbackTable, Obfuscated Files or Information, Query Registry, Security Software Discovery, Software Packing, DLL Side-Loading, Dynamic-link Library Injection, Credential API Hooking
S0235	CrossRAT	(Citation: Lookout Dark Caracal Jan 2018)	Screen Capture, File and Directory Discovery, Registry Run Keys / Startup Folder, Launch Agent, XDG Autostart Entries

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

Dark Caracal

Associated Group Descriptions

Techniques Used

Software

References