Recently, Check Point researchers unveiled that the Black Caracal threat group is very much alive and active.

The scoop

The Dark Caracal APT group is believed to be linked to a Lebanese intelligence agency. It was discovered leveraging a new strain of the 13-year-old Bandook trojan in its latest attacks. A variety of sectors and locations have been targeted in the latest campaigns to expedite offensive cyberespionage operations.

Infection chain

  • The threat actors use a Microsoft Word document as a lure. The document contains an embedded encrypted malicious script, along with an external template with macros.
  • The second stage drops a PowerShell loader that decodes and implements a base64 encoded PS.
  • The Bandook trojan comes in the ultimate stage and is written in both C++ and Delphi.

Bandook variants

  • An unsigned entire version with 120 commands,
  • A signed entire version with 120 commands, and
  • A signed toned down version with 11 commands.

The bottom line

Although the Dark Caracal group is not as sophisticated as compared to other APT actors, there have been significant improvements in its attack tactics over the years.

Cyware Publisher