 Hello, hello, all. So who here does not know what the EFF is? Come on, it's okay. Don't be shy. There's some ‑‑ all right. Well, the EFF is an amazing organization and they saved my ass very, very much. So I'd like to thank them that I'm here and not in federal somewhere. But our next speaker, right, is from the EFF, an amazing organization and they do amazing work, but this presentation is about tracking the world's dumbest cyber mercenaries and it's going to be excellent. So let's give a round of applause for our next speaker. Hi, everyone. How's it going? Before I get started, I want to mention that at 8 p.m. we have an Ask the EFF panel in track three. So if you have further questions for me after this is over, or our lawyers or anybody else, you're welcome to come to that. Also on Saturday night at 6 p.m. in the chill out room, I am hosting EFF Tech Trivia, which will be a pub trivia style event where you can win EFF swag and also bribe the judges by donating to EFF. So come check that out as well if you're around and have nothing better to do Saturday night. That said, this talk is called tracking the world's dumbest cyber mercenaries and I'm going to tell you about this cyber mercenary group that I've been tracking for the last five years and all of the mistakes they've made but why they're still actually very effective. But to tell this story, I first need to tell you the story of Irina Petrushova. Irina Petrushova is the editor in chief of a newspaper called Respublica, which was at the time in Kazakhstan. Kazakhstan is not known for its freedom of the press or its general democratic tendencies. So Irina had made quite the enemies of the state of Kazakhstan by constantly publishing negative stories about Kazakhstan's only president they had ever had and also exposing a lot of his corruption and scandals and things like that. She made such enemies of them in fact that they ended up leaving a skull on her, a human skull on her doorstep with a note that said stop publishing. When she didn't stop publishing, they killed the dog and hung it outside of her office window with a note that said there will be no next time. When she still didn't stop publishing, they kidnapped her child from the school that he went to and held him for ransom until she agreed to stop publishing. When she got her child back and then continued publishing, they ended up firebombing her office and after that she ended up escaping to Russia to get a little bit more freedom. So well in Russia, she continued publishing RiskPublica and this site popped up around the same time called Kazaward. Kazaward hosted a leaked trove of emails from the president of Kazakhstan, including emails detailing his campaigns to spy on the only opposition politician in Kazakhstan, his various corruptions and briberies and things of that nature and this was very, and RiskPublica did a lot of reporting on these emails. They made a lot of hay out of it. The government of Kazakhstan, the president of Kazakhstan did not like this and since she was in Russia and there was nothing he could do about it anymore, they decided to sue her in the district court of New York because the website was hosted in New York and that's where EFF comes in. We ended up giving her a legal defense and as we were defending her, she started receiving these strange emails. This is a phishing email she received in Gmail that pretends to be from a human rights lawyer in Kazakhstan that says here's your invoice, please read the invoice. And when you open the PDF, it's this blurry image and then an error bubble, but when you open the PDF, it installs this malware which we call Banduc and we wrote about this malware in a 2015 report called Operation Mantle. Banduc is a piece of spyware and it's in its capabilities not much different from high-end malware like Pegasus. It has the ability to, or any other spyware, it has the ability to capture screenshots, turn on the microphone, start your webcam without turning on the light, upload and download files, get Wi-Fi information, and it has the ability to download secondary infections, which will become important later. The interesting thing about this campaign when we started looking into Banduc is the command and control servers for the malware were running Windows. And specifically, they were running the Windows Apache MySQL PHP stack called XAMP. A fun thing about XAMP is that by default, it leaves directory indexes open. So if you don't have an index.html file, you can see the list of all the files that are in the directory. Another fun thing is that this attacker decided to leave all their exfiltrated files within the web route. So we were able to, using Durbusters, scan these directories, find the exfiltrated files and download them all and figure out information about who was being targeted in this. Of course, Adrina was being targeted, but there were also other targets, other folks in Kazakhstan were targets, and we found what we thought was maybe a Vietnamese cigarette company that was a target. It was all very odd. But we also found web panels, sorry, not web panels, but the web logins for their command and control centers. So we found these two web logins for the command and control centers, and there was some fun there to be had as well. We also found all of these files, backups from entire Windows machines, and backups and files extracted from mobile devices, which gave us the theory that there might be a mobile component to this as well. So it turns out there was. About a year later, some people from Lookout Mobile Security reached out to us and said, hey, that mobile component that you mentioned might exist in your operation manual report, we think we found it. And so we ended up writing another report with them called Dark Caricol, which is where we came up with the name for this actor. And we named the mobile component Pallas, because that's another name for a caracal, Pallas Cat. The Pallas malware, again, has very, has pretty standard features that you would expect in spyware. But it also, in this case, was being distributed as backdoor versions of popular secure messaging apps. Well, secure with quotes around it. Threema, but also Signal, WhatsApp, some other things I've never heard of, Orbot and Syphon, and also a copy of Flash Player, because what Flash Player needs is more malware. But they were fully functional apps that had this Pallas spyware built into them. The Pallas spyware was also able to take photos with the front and back camera, get GPS coordinates, turn on the microphone, upload and download files, make a hot mic, and it was able to collect information about the Wi-Fi access points that were available. Again, this will be important later. We found in total, because again, they were still using XAMP and the files were still within the web root. So we were able to find a total of 81 gigabytes of exfiltrated data from infected machines. About 60% of that was from Android campaigns and 40% of that was from infected Windows machines. But another fun thing about XAMP is that it has a module, it enables by default a module called Apache status. What Apache status does is it gives you a real-time log of everybody visiting the server that is accessible via the website. So you go to commandandcontrol.com slash server status, and you get a real-time hit of everybody who's visiting the website. So we could not only get the IP addresses of everybody that was infected, because their machines were uploading content, but we could also get the IP addresses of the attackers as they went to the web administration portals for their command and control. So where in the world is dark caracal? Where are all these IP addresses located? There were IP addresses coming, and this was for infected machines, from all over the world, the United States, Canada, some bits of Europe and Southeast Asia, but the vast majority of them were in Lebanon. Specifically, they were in mostly, yeah, the vast majority of them were in Lebanon. Also, when we looked at the admin console logins, all of them were coming from Beirut, downtown Beirut. This is interesting, because when we looked up the authorship for the Banduk malware, which is public, the author of the Banduk malware, who goes by the name Prince Ali, claims that he lives in Beirut. So, hmm, things are starting to come together here, but we found another interesting thing, which was that when we put all this exfiltrated data into a Maltiga graph, there was a giant cluster of phones that seemed to be all the real phones that were infected, but there was this little cluster of phones that popped up outside of any of the other graphs that weren't connected to anything else. And all those phones appeared to have test data on them. All the text messages that were exfiltrated were things like test, test, hack, hack. The only pictures on those phones were, like, up-the-nose shots of somebody in their office. And they all also only connected ever to this one Wi-Fi, oh, and they were the first phones to be infected, and they only ever connected to this one Wi-Fi address, which was BLD3F6, which we thought might mean Building 3 Floor 6. We used an open-source database called Wiggle to map where the BLD3F6 Wi-Fi access point was. And it turns out that it's in downtown Beirut. Hmm, what's going on here? But where is it exactly in downtown Beirut? Luckily, we have friends in Beirut. They went out and looked for us. And what they found was that it's in the only building in downtown Beirut in that area with more than six floors. And it's right next to the campus, France, Lebanon, but it's not that. It is the headquarters of the general directorate of general security, which is Lebanon's CIA, FBI, and, like, border patrol, DHS all kind of rolled into one. So we figured that this is pretty much, we caught them red-handed, right? And we sent the, you know, after we published the report, we sent it to the GDGS, or somebody, a journalist, sent it to the GDGS and actually knocked on their door, which that takes guts. And their response to the report was, this is totally untrue. We didn't spy, but if we did, it was totally legal and we can do whatever we want. But also this report was probably written by the CIA or Massad, and you should ignore everything in it. But also it's all true and it's legal and it's fine. So that was interesting. But what's going on here? Why is the GDGS also hacking a opposition reporter in Kazakhstan? Why are they hacking a Vietnamese cigarette importer? Why, what connection do these all have? And the conclusion that we came to, I have to remind myself of the next slide is, the conclusion that we came to is that this must be a mercenary op. We think that, we think that Prince Ali, who wrote Banduk, who as far as we know is the only one who has the Banduk malware, is working for the GDGS during the day and moonlighting at night, working for other folks, hacking Vietnamese cigarette companies and working for a private investigator who was hired by Kazakhstan to do cyber ops perhaps. But it's really interesting because normally targets that are clearly state sponsored, which we have pretty good attribution, don't also do moonlight doing criminal stuff. So we're still not sure. A couple more reports came out in the last couple of years about Banduk, about the Dark Caricol group. ESET put out a report called Banditos at Large, which detailed a big Banduk campaign in Venezuela. And checkpoint research put out another report about Banduk called Signed and Delivered, which detailed another campaign. And then in 2022, we found a new sample of Banduk. And so we decided to take a look at it. Banduk, by the way in Hindi, means gun. So there's a series of action movies, of Bollywood action movies called Banduk. It also, apparently in Lebanese it means bastard. So, yeah. Anyway, so we started looking at this new malware. And like I mentioned, the malware has the ability to download a secondary infection. And it does that from a second domain, which is orthogonal to its command and control server. So I looked at the Banduk malware. I extracted the domains. And the first domain was a .ru domain. And it had the command and control server running. They're no longer running XAMP. They've learned their lesson. They're no longer running Apache at all. The only reports they have open now are the ones necessary for command and control. Good for them. But the second server, it turns out they forgot to register it. They never registered their command and control domain. So being a helpful guy, I registered it for them. They can use all the help they can get. So I registered the domain and set up a sync code. And started collecting all of the traffic from, or not all of the traffic. We're not the NSA. I started collecting the traffic coming from the infected machines to the secondary command and control server. And got a good idea and a good map of all of the infected machines. And also because we're EFF, we wrote a privacy policy for the sync hole to make sure that everybody knew exactly what we're doing with the data that went to the sync hole. But what we saw was about 700 or 800 infected machines connecting to it every weekday. And on weekends, that number drops to like between 100 and 300. So we think these are probably business machines that aren't being used on the weekends. But when we mapped out the locations, what was really interesting was that there were a few infections in the US, a few infections in other parts of South America, a lot of infections in Venezuela. But by two orders of magnitude, most of the infections were in the Dominican Republic. The Dominican Republic is not usually known as a big target for hacking. But also we didn't really know why. We didn't have a sort of victimology like we had in the Lebanon case. In the Lebanon case, they were hacking people who were on the border of Lebanon and Syria. Presumably over like, you know, spying on people they thought might be going to fight in the Syrian Civil War. In the Kazakhstan case, the victimology was pretty clear, the Irina Petroshova. But in this case, we weren't sure. About a month ago, I was listening to an episode of Dark Net Diaries and they did a report on a guy who works for an assert in South America who ended up finding this campaign, looking into this campaign after we published our report. And what he found was that the Dark Caricol, the Banduc infections that Dark Caricol had deployed were being used to deploy Conti, the ransomware, which the Conti ransomware gang keeps very tight control of. So this gives us the impression that Dark Caricol is now somehow partnering with Conti ransomware group to start ransomwearing machines in tiny trees like the Dominican Republic where there's not a whole lot of infrastructure and frankly, the West doesn't give a shit. So you're not going to attract a lot of attention. But we don't know what's going on here. Is this a state-sponsored hacking, wasn't paying enough, so the Dark Caricol gang started turning toward more traditional cyber crime? It's unclear. But it does represent an escalation in their tactics. And if they go back to going after political targets, we might see, I'm concerned that we're going to start seeing ransomware as an attack deployed against political targets to silence them. Overall, I award Dark Caricol the DUNSCAP. They've made a lot of stupid mistakes over the years and I've learned a lot about malware reversing from their stupid mistakes. So thanks, guys. But they are the kind of derpy dragon of the group, right? They're not the NSO group. They're not the Dark Matter. But this meme is actually very appropriate because they're still a dragon. They've still managed to infect thousands and thousands of machines over several years. And it turns out that writing reports about malware doesn't actually stop the malware authors from writing malware and continuing to infect people. So I don't know. There's got to be a better way. Despite the number of mistakes they've made, they're super effective. And I think that this is a growing problem. The number of cyber mercenaries in general is growing by a lot. And, you know, I think that there's starting to be a spectrum of it, right? Not everybody has to be an NSO group. Not everybody has to be a Dark Matter. There's a lot of spyware and stockware companies and, like, lower end mercenaries, like Appin and Dark Caricol, that I think are going to start working for, you know, people who can't afford NSO group, people who can't afford Dark Caricol, maybe people who aren't acting with, like, full state authorization or who are, but who don't, you know, even care about, you know, the vague pretenses of rule of law that say, like, you know, Israel sometimes pretend to care about, or the U.S. sometimes pretends to care about. Overall, I think that this is going to grow. And I think that this growth is because of how successful encryption has been. Web encryption is ubiquitous at this point. And end-to-end encryption is nearly there as well. Three billion people are sending end-to-end encrypted messages every day now over WhatsApp and to a much lesser degree signal. But this means, you know, in addition to fighting tooth and nail with horrible laws, governments are increasingly turning to hacking individual devices to spy on people. And if encryption was the fight of the last 30 years, and maybe the fight of the next 10 now, I think that spyware is also going to be a big battle for the next 30 years. And I think it's something we have to start looking at now and stopping now. That is my talk. Thank you very much.