State-Sponsored Malware Campaign Hits Users Across 21 Countries

Spyware and malware campaigns are on a rise currently. In a joint investigation carried out by cybersecurity company Lookout Security and the civil rights group, Electronic Frontier Foundation (EFF) a new string of spyware campaign being operated from Lebanon has been discovered.

According to the research report from Lookout Security, the campaign has been launched by a new group referred to as Dark Caracal, which is associated with attacks on not tens or hundreds but thousands of victims across 21 countries.

The range of targets is also extremely broad while the building from where this campaign is operated is situated in Beirut and owned by the Lebanese General Directorate of General Security (GDGS). GDGS has a reputation of gathering intelligence for the purpose of national security as well as launching offensive cyber-espionage campaigns.

Researchers opine that [PDF] this campaign is different from previous spyware launches because it has paved way for the trend of ‘spyware for hire.’ The campaign has been active for the past 6 years; it involves stealing of text messages, documents from journalists, call logs, WhatsApp messages, geolocation information, browsing history, audio recordings and targets corporations, military personnel and similar entities of sensitive nature. Its key targets include smartphones across the Middle East, North Africa, North America and Europe.

State-Sponsored Spying Campaign Targeting Users Across 21 Countries
The details shared by researchers show types of content Dark Caracal exfiltrated from victims on both Android and Windows.

The research team assessed test devices, which included a set of phones configured primarily to roadtest Dark Caracal, and identified that these were linked to a WiFi network that was hosted from a website of Lebanon’s security headquarters. The hacking campaign was identified after Lebanese spies published stolen data worth a gigabyte on the internet.

As per Mike Murray, Lookout Security’s intelligence head, this was just like thieves robbed a bank and kept the door where the money was stored unlocked.  When researchers analyzed the stolen data, they were able to identify that military and government personnel, education professionals, medical practitioners and people from academic fraternity across Pakistan, Germany, Italy, Russia, Syria, the United States and South Korea were among the key targets of hackers. It is worth noting that British officials are not impacted by this campaign so far.

State-Sponsored Spying Campaign Targeting Users Across 21 Countries
List of countries from where users were targeted (Lookout)

To make their targeted campaign successful, spies employed a network of fake websites and malicious smartphone applications disguised as Telegram and WhatsApp so as to steal credential information from users like passwords and spying on conversations. Until now, spies have managed to capture around 486,000 text messages.

State-Sponsored Spying Campaign Targeting Users Across 21 Countries
Dark Caracal trojanized Android apps (Lookout)

Moreover, hackers targeted victims through WhatsApp messages and Facebook groups from where malicious software was sent to targeted computers. The malware captured smartphone data after being downloaded and transferred the information back to the servers hosted by GDGS.

Apart from using Android malware including fake versions of messaging apps like Signal, the group also use the notorious surveillance tool FinFisher. The malware is also capable of stealing two-factor authentication codes and accesses the front and back cameras of the phone along with a microphone.

“One of the interesting things about this ongoing attack is that it doesn’t require a sophisticated or expensive exploit. Instead, all Dark Caracal needed was application permissions that users themselves granted when they downloaded the apps, not realizing that they contained malware. This research shows it’s not difficult to create a strategy allowing people and governments to spy on targets around the world,” said EFF Staff Technologist Cooper Quintin.

Source: Lookout / Via: EFF / Report in PDF is available here / Image credit: DepositPhotos/Kentoh

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.