ATK27

Presumed Origin: Lebanon < Back

Alias: Dark Caracal, TAG-CT3

ATK27 (aka: Dark Caracal) is an advanced persistence threat group  threat group in activity since January 2012. It is supposedly linked to the Lebanese government since its activity was traced to the headquarters of the General Directorate of General Security, in Beirut Lebanon. Dark Caracal has been conducting a multi-platform APT-level surveillance operation targeting individuals and institutions globally.

 

REFERENCES

Target sector

  • Defense
  • Education
  • Financial Services
  • Government and administration agencies
  • Healthcare
  • International Organizations
  • Legal Services
  • Manufacturing
  • Media
  • Military

Target countries

  • China
  • France
  • Germany
  • India
  • Italy
  • Jordan
  • Korea, Republic of
  • Lebanon
  • Nepal
  • Netherlands
  • Pakistan
  • Philippines
  • Qatar
  • Russian Federation
  • Saudi Arabia
  • Switzerland
  • Syrian Arab Republic
  • Thailand
  • United States Of America
  • Venezuela, Bolivarian Republic Of
  • Viet Nam

Attack pattern

  • T1005 - Data from Local System
  • T1027 - Obfuscated Files or Information
  • T1027.002 - Software Packing
  • T1045 - Software Packing
  • T1059.003 - Windows Command Shell
  • T1060 - Registry Run Keys / Startup Folder
  • T1064 - Scripting
  • T1071 - Standard Application Layer Protocol
  • T1071.001 - Web Protocols
  • T1078 - Valid Accounts
  • T1083 - File and Directory Discovery
  • T1106 - Execution through API
  • T1113 - Screen Capture
  • T1133 - External Remote Services
  • T1189 - Drive-by Compromise
  • T1194 - Spearphishing via Service
  • T1195 - Supply Chain Compromise
  • T1196 - Control Panel Items
  • T1204 - User Execution
  • T1204.002 - Malicious File
  • T1218.001 - Compiled HTML File
  • T1223 - Compiled HTML File
  • T1437 - Standard Application Layer Protocol
  • T1476 - Deliver Malicious App via Other Means
  • T1547.001 - Registry Run Keys / Startup Folder
  • T1566.003 - Spearphishing via Service

Motivation

  • Coercion
  • Financial Gain
  • Ideology

Malwares

  • Bandook
  • CrossRAT
  • FinFisher
  • Pallas

Vulnerabilities