Dark Caracal: A bumbling, yet surprisingly effective, cyber mercenary group

Chandler Cruttenden / Unsplash

A mysterious cyber mercenary group called Dark Caracal has made many mistakes but nonetheless remains effective, underscoring the appetite for cheaper alternatives to NSO Group, DarkMatter and other surveillance organizations.

How are a human skull, a dead dog, a kidnapped child and a firebombed newspaper office tied to a mysterious cyber threat group called Dark Caracal that has deployed surveillance malware throughout nations around the globe? Electronic Frontier Foundation senior staff technologist Cooper Quintin explained the connections during a packed talk at this year's DEF CON titled, "Tracking the World's Dumbest Cyber-Mercenaries."

Dark Caracal, named after a cat native to the Middle East, Central Asia and arid regions within Pakistan and India, is a persistent and prolific espionage group that has targeted journalists, activists, education institutions and well as military and government organizations. The group has succeeded despite itself and demonstrated a proclivity for operational blunders no sophisticated threat actors would commit.

Quintin told README ahead of his talk that Dark Caracal targeted journalist Irina Petrushova, founder and editor of the Kazakh publication Respublika, which was often critical of Kazakhstan President Nursultan Nazarbayev’s regime. Someone "put a human skull on her door with a note that basically said, stop publishing," Quintin said. "When that didn't work, they killed her dog and hung it in front of her office with a note that said there would be no next time. They kidnapped her son from the private school where he goes, and then she got him back." She eventually fled Kazakhstan to relatively safer Russia after someone firebombed the offices of Respublika.

Shortly after that, in 2015, a website called Kaza Word emerged that was critical of the Kazakh government. The government assumed the new site was the work of Petrushova and, because it was hosted in New York, sued her in the New York District Court. At that point, she became EFF's client, a turn of events that, through the group's missteps, led to the discovery of Dark Caracal.

The group left files from infected machines easy to discover

Following the lawsuit, Petrushova began receiving suspicious emails with PDF attachments from someone posing as a human rights lawyer as well as her brother, a co-editor of Respublika. Quintin and several colleagues in the digital rights and privacy space investigated the suspicious attachments and discovered a phishing and malware campaign they called Operation Manul after a wild cat typically found in Central Asia.

The researchers found that Manul used the Bandook malware. "Bandook is a RAT [remote access trojan] that can do all of the normal things that you would expect a RAT to do," Quintin said, such as "turn on the webcam, start a key logger, get screenshots, upload and download files, get Wi-Fi information, execute some other third-party modules and other stuff.”

"The interesting thing we documented about this campaign was that the command-and-control servers were running Windows, which is very unusual for a command-and-control server," Quintin explained. "In fact, they were running XAMPP, which is the Windows distribution of PHP and MySQL. And they were running this because they had a web-based PHP-based administration interface for their command-and-control."

"But a fun thing about XAMPP is that it does not hide directories, which don't have index files," according to Quintin, "so you can browse the contents of directories that are in the web root from your browser, and it won't hide those."

Fortunately for the researchers, the attacker had uploaded files they got from infected machines to this command-and-control server under the web root in places where the researchers could find them. "So, we were able to exfiltrate a ton of data that had been stolen from people's infected computers. We were also able to find the RAT control panels where the operator of this campaign could log in and operate the mailer and we found a bunch of uploaded documents and password files from [other campaigns]. It was just amazingly poor skill on the part of the operator," Quintin said.

The researchers also determined that the RAT had a mobile component. Later, EFF and Lookout Security found samples of this component, which they called Pallas, another name for the Manul cat. The Pallas malware was disguised as legitimate versions of encrypted messaging apps, such as Signal and WhatsApp, backdoored versions of which enabled remote tooling such as taking pictures, intercepting text messages, recording audio, accessing contacts and more.

Dark Caracal left the IP addresses of every infected machine exposed

The researchers found still more campaigns the group, now dubbed Dark Caracal, was undertaking by downloading 81 gigabytes of data stolen from infected machines. Moreover, the researchers also discovered that by using XAMPP, they could look at a page called Apache status which Quintin said allowed them to view real-time logs of everyone who visited this central server.

"So, from this, we were able to find not only the IP addresses of every machine that had been infected because we were able to watch them connect to the command-and-control server in real-time,” Quintin said, “but we were also able to find the IP addresses of the attacker as they logged in to web interface for the command-and-control server because they were the only ones connecting to that URL."

This gold mine of information allowed the researchers "to get an idea about where this attack is coming from, or we can at least get more of a sense of who the attacker is," Quintin said. EFF was able to map IP addresses and discovered victims worldwide-- in the U.S., Canada, Europe, India and China -- but with a significant concentration of them in Lebanon, particularly in downtown Beirut.

IP addresses led to Lebanese security authorities

The researchers were able to produce a graph of all the infected devices and the Wi-Fi addresses they connected to, discovering a little cluster of what appeared to be test devices that never connected to anything else and only connected to this one IP address or this one Wi-Fi address, BLD3F6, which they took to mean building three, floor six, which matched a building in downtown Beirut. After EFF sent someone to find the building, they discovered it belonged to Lebanon's General Directorate of General Security (GDGS), a government agency akin to the CIA, NSA, Border Patrol and FBI rolled into one.


Piotr Chrobot / Unsplash

This discovery perplexed the researchers. "Why, if GDGS is behind this, which it seems almost certain they are, why are they also attacking a journalist in Kazakhstan? Why would they be doing things on behalf of the Kazakh government?" Quintin said. "The conclusion that we eventually came to is that the group doing this is working for GDGS but is also moonlighting and doing their own cyber mercenary work for a number of other actors."

After EFF reported this finding, ESET issued a report called “Bandidos at Large” about a new campaign using Bandook in Latin America. Researchers at Check Point wrote about another new campaign of Bandook, although they identified no clear victims.

EFF discovered that Bandook was written by someone who goes by the name Prince Ali and lives in Beirut. At one point, Prince Ali sought employment at the Italian surveillance company Hacking Team, "telling them that he also had a really nice piece of mobile spyware that he could share with them if they hired him," Quintin said. (Hacking Team eventually went out of business after it was thoroughly owned by a hacktivist known only as “Phineas Fisher” in a now-infamous attack on the company.)

Secondary domain registration failure let EFF create a malware sinkhole

In 2022, a new version of Bandook appeared that no longer used XAMPP but did use two domains for its operations: one as a main command-and-control domain and another to download additional functionality. But the second domain, unclesow.com, was unregistered.

"They had forgotten to register this secondary domain," Quintin said. "So, I ended up registering it myself to help them out, of course. And we created what's known as a malware sinkhole" to find out the scope of who's infected and to stop the malware from functioning so that people don't get further infected.

"Immediately, infected machines started connecting to our sinkhole. We ended up getting about, on average, on a weekday 700 to 800 infected machines connecting every day. And each of those machines connects multiple times a day. Interestingly, on weekends, it goes down to between three or four hundred on Saturdays and one to two hundred on Sundays. So, we think that most of these infected machines are business machines because people go home on the weekends."

As was true of EFF's earlier discoveries, the sinkhole showed Bandook infections from all over the globe, but this time they discovered that "by orders of magnitude," most of the infected machines were in the Dominican Republic. "Now, what the hell is Dark Caracal doing in the Dominican Republic?" Quintin asked.

Quintin listened to a podcast about Dark Caracal and discovered that the Conti ransomware group had used Bandook to deliver its malware in the Dominican Republic. "Is Dark Caracal working with Conti now, or have they sold the malware? I have no idea," he said.

Despite all the mistakes, Dark Caracal is very effective

There's no question that Dark Caracal has made mistakes that more sophisticated threat actors take great pains to avoid. "I give them the dunce cap," Quintin said. "They have made so many stupid mistakes over the years that have given me a lot of insight into their workings, from leaving directories open to leaving their server logs open to just forgetting to register a server for their malware. Dark Caracal is just the dumbest kid on the block."

Despite earning the title of the cyber mercenary gang that couldn't shoot straight, "they're still really effective," Quintin said. "They managed to infect thousands of people in the Lebanon campaign. They managed to infect hundreds of people in their latest campaign and install ransomware on a ton of machines. So, you don't need to be that smart to be effective. They're still disturbingly effective."

The success of Dark Caracal proves that "not everyone has to be a high-end player" like Candiru or NSO group, or DarkMatter," Quintin says. "I think there's a large market for cheaper low-end mercenaries who can be subcontracted out to by these bigger groups or who can be hired by private investigator firms or who can be hired by countries that maybe aren't as well resourced. I think that that's a serious concern. I think that's something we need to focus on."