Dark Caracal: Global Espionage Malware from Lebanon

The EFF and Lookout are reporting on a new piece of spyware operating out of Lebanon. It primarily targets mobile devices compromised by fake versions of secure messaging clients like Signal and WhatsApp.

From the Lookout announcement:

Dark Caracal has operated a series of multi-platform campaigns starting from at least January 2012, according to our research. The campaigns span across 21+ countries and thousands of victims. Types of data stolen include documents, call records, audio recordings, secure messaging client content, contact information, text messages, photos, and account data. We believe this actor is operating their campaigns from a building belonging to the Lebanese General Security Directorate (GDGS) in Beirut.

It looks like a complex infrastructure that’s been well-developed, and continually upgraded and maintained. It appears that a cyberweapons arms manufacturer is selling this tool to different countries. From the full report:

Dark Caracal is using the same infrastructure as was previously seen in the Operation Manul campaign, which targeted journalists, lawyers, and dissidents critical of the government of Kazakhstan.

There’s a lot in the full report. It’s worth reading.

Three news articles.

Posted on January 22, 2018 at 6:38 AM14 Comments


jbmartin6 January 22, 2018 7:19 AM

This phrasing threw me for a loop for a second:

“fake secure messaging clients like Signal and WhatsApp”

Clive Robinson January 22, 2018 9:13 AM

@ jbmartin6,

This phrasing threw me for a loop for a second

At first sight the statment,

    fake secure messaging clients like Signal and WhatsApp

Does look a little odd / contrived. But from a certain view point it is accurate.

The two apps broadly use the same Moxie Marlinspike “Communications Security” but they do not offer any “Device Security”.

Thus as I have pointed out on the odd occassion if an attacker can get access to those applications “plaintext user interface” an attacker goes after that and entirely ignores the “Communications security”, with an “End Run Attack”. These attacks work on “communications end point devices” like PC’s, Smart Phones, Tablets, Pads etc because of the very poor security design of all of these systems. Put simply the appications protective security ends in the App, whilst the lack of device security means that other communications paths can be used to access the plaintext that gets sent from the keyboard and sent to the screen simply by putting a “Tee Shim” or simillar in the path between the app and the user.

Likewise FDE for logs, recordings and other data files is only of use for “data at rest” but is fully accecible via the UI in it’s plaintext form when the device is in use.

This is nothing new but people from the very bottom of security to the very top of security including many Gurus, appear not to be cognizant of this. Or for other reasons are sort of ignoring the issue to atleast get people to improve one part of security –ie the comms link– against NSA “collect it all attacks” and the likes of the FBI with NSL’s and Third Party Record work arounds.

Whilst this is laudable for several reasons, and does improve security against “hovering it up” attacks, it does little or nothing to improve device security, which is where “targeted attacks” are focussed.

This series of APT attacks are clearly targeted and thus were successful.

One of the problems we have is the assumption that targeted attacks are “against bad guys” it’s a myth the likes of the FBI and DoJ are desperatly pushing into the public minds.

As see in this case the people targeted were very probably “bad guys” by any definition most in the West would use.

It’s why we realy need to turn the spotlight realy hard on the nonsense from the FBI / DoJ and device manufactures. Device security is not their and should not be there to protect their vested interests such as NOBUS “frontdoors” “Golden Keys” or “walled gardens”. The idea of NOBUS is rediculously stupid even in physical security, it’s a compleate nonsence in information security.

There is a great deal of value not just in IP but peoples lives and well being in information security. Having weak device security makes those pushing it at best compliant “only following orders” types, through criminal conspiracy through being knowingly part of treason and murder.

Device security matters rather more than comms security because of it’s broader scope to compromise information. As Winston Churchill used to scribble on documents “Action this day”.

Clive Robinson January 22, 2018 9:17 AM


In my above

    probably “bad guys”

Is missing a very important NOT after probably…

David January 22, 2018 9:30 AM

I am shy to say anything. It might get deleted.

So much for open conversation–or even the pretense.

Ratio January 22, 2018 5:35 PM

From pages 17–18 of the report:

Dark Caracal relies primarily on social engineering via posts on a Facebook group and WhatsApp messages in order to compromise target systems, devices, and accounts. At a high-level, the attackers have designed three different kinds of phishing messages, the goal of which is to eventually drive victims to a watering hole controlled by Dark Caracal.

The group distributes trojanized Android applications with the Pallas malware through its watering hole, secureandroid[.]info. Many of these downloads include fake messaging and privacy-oriented apps.

(Emphasis mine.)

@Bruce, maybe you could change “fake secure messaging clients” to “fake versions of secure messaging clients” or something along those lines?

Charbel Qazzi January 22, 2018 5:51 PM

EFF: Before we mistakenly framed India for all that spying on Khazakhstan but it’s really Lebanon!1! This time we’re super extra sure it’s the government of Lebanon although they let other evil groups use this infrastructure too.

Lookout, staffed by straight shooters from totally trustworthy companies with no NOCS at all like Juniper, Fireye, and HP: Look at those sneaky Lebanese spies spying on their strategic enemies like China, France, Germany, India, Italy, Jordan, Lebanon, Nepal, the Netherlands, Pakistan, the Philippines, Qatar, Russia, Saudi Arabia, South Korea, Switzerland, Syria, Thailand, The USA, Venezuela, and Vietnam but not Israel.

8200: Yeah we totally saw them doing that at Pizza Hut when we were there picking up pizza.


Wael January 22, 2018 11:44 PM

@Charbel Qazzi,

8200: Yeah we totally saw them doing that at Pizza Hut when we were there picking up pizza.

Hmm… Pizza! You Gotta love it. Didn’t know the 8200 boys are into pizza. Nice report from Al Jazeera, by the way! I tell you, Pizza is dangerous! How many pizzas did they pick up, again? Ummmm…. Guilty as sin!

In 2010, Charbel Qazzi and Tarek Rabaa, both telecom engineers with Alfa (one of Lebanon’s two mobile network operators), were arrested within weeks of each other and charged with spying for Israel..

By the way, when did you get out of jail?

jc January 23, 2018 12:41 PM


I am shy to say anything. It might get deleted.

So much for open conversation–or even the pretense.

I know what you mean.

Recently I was on another forum, hxxp://www.usmessageboard.com/, where someone threated to “charge” me with something vaguely criminal or criminally related, and almost immediately a white car with dark windows pulled up, and someone got out of the car, snatched my laptop computer while I was eating lunch, and took it back into the car, which immediately sped away.

I have complained to law enforcement about the theft, but they did not wish to take an official report, nor have they indicated any intention of “charging” me with anything. In fact they rather told me in an off-hand manner, “Not you.”

A few weeks before that, a man had demanded the battery to my laptop, and substituted a dead battery that he had for it, which I then had to charge. Not for the first time, either, because at the time I noticed that the date of manufacture of the battery that he took was later than the date I had purchased the laptop.

I am biding my time until I get money, a new computer, and back online.

I feel that law enforcement “authorities” are investigating “crime” at my expense without reimbursing me for the inconvenience or taking crimes against my person and my property seriously. They need to get their nose out of my business, pull both their “investigators” and their “criminal suspects” off my back, and stop “watching” me for their own entertainment. Birds of a feather, guilt by association, and all that, because a badge does not automatically confer innocence on a gunman.

Freudian Chips January 23, 2018 6:12 PM

fake secure messaging clients like Signal and WhatsApp.

Freudian slip? deliberate letting a cat out of a bag? plausible deniability?
Immediately, useful voices suggest the correct words to use as not to cast any doubt at all that certain Apps are in any way suspect.

how about, “The malware leverages the perceived security value of well known USG funded messaging apps”.

How many orders of magnitude between what the US Gov spent developing these apps versus promoting them?

Ratio January 23, 2018 7:09 PM

@Freudian Chips,

Immediately, useful voices suggest the correct words to use as not to cast any doubt at all that certain Apps are in any way suspect.

No, the aim was to accurately reflect what’s in the report (hence the quote). And I would know, since I posted the only comment that suggested a rewording.

Maybe turn down the Freudian projection a bit?

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.