GoldenJackal Targets Embassies and Air-Gapped Systems Leveraging Malware Toolsets

Oct 08, 2024Ravie LakshmananCyber Security Breach / Malicious Software

An obscure threat actor identified as GoldenJackal has been associated with a series of cyber incursions aimed at embassies and governmental entities with the objective of penetrating air-gapped systems using two distinct custom tool bundles.

The targets comprised a South Asian embassy located in Belarus and an organization of the European Union (E.U.), as reported by the Slovak cybersecurity firm ESET.

“The primary intention behind GoldenJackal appears to be pilfering sensitive data, particularly from high-profile devices that may not be linked to the internet,” noted cybersecurity analyst Matías Porolli in an extensive examination.

GoldenJackal came into spotlight in May 2023 following revelations from the Russian cybersecurity company Kaspersky about the group’s assaults on governmental and diplomatic organizations in the Middle East and South Asia. The origins of the adversary can be traced back to at least 2019.

A notable aspect of these intrusions is the utilization of a worm named JackalWorm, which is proficient in infecting connected USB devices and distributing a trojan named JackalControl.

While it’s not conclusive to attribute these actions to a specific nation-state threat, there are certain tactical similarities with the malicious software employed in operations attributed to Turla and MoustachedBouncer, the latter of which has also targeted foreign embassies in Belarus.

ESET revealed that they identified artifacts related to GoldenJackal at a South Asian embassy located in Belarus in August and September 2019, and again in July 2021. Of particular interest is the group’s ability to introduce an entirely overhauled tool collection between May 2022 and March 2024 when targeting a government entity in the European Union.

“The fact that in five years GoldenJackal managed to devise and deploy not just one but two distinct tool collections aimed at infiltrating air-gapped systems showcases the adaptability of the group,” highlighted Porolli. “This underlines the resourcefulness of the team.”

The attack on the South Asian embassy in Belarus reportedly involved three different sets of malicious software, in addition to JackalControl, JackalSteal, and JackalWorm –

• GoldenDealer, which pushes executables to air-gapped systems via compromised USB devices
• GoldenHowl, a flexible backdoor tool capable of file theft, task scheduling, file transfers to/from a remote server, SSH tunnel creation, and
• GoldenRobo, a tool for collecting files and exfiltrating data

The assaults directed at the undisclosed European government organization, however, have centered on a brand-new suite of malicious software primarily coded in Go. These tools are engineered for file extraction from USB drives, propagation of malware via USB drives, data exfiltration, utilizing specific servers as distribution points for payloads to other nodes –

• GoldenUsbCopy along with its enhanced version GoldenUsbGo, which oversee USB drives and extract files for exfiltration
• GoldenAce, used to disseminate malware, including a streamlined version of JackalWorm, to devices (not necessarily air-gapped) via USB drives
• GoldenBlacklist and its Python iteration GoldenPyBlacklist, tailored to sift through relevant email content for future exfiltration
• GoldenMailer, responsible for transmitting pilfered data to threat actors via email
• GoldenDrive, for uploading stolen data to Google Drive

The method through which GoldenJackal gains initial access to breach target environments remains undisclosed. However, there have been suggestions by Kaspersky in the past about the potential use of trojanized Skype installers and malicious Microsoft Word documents as entry vectors.

Upon insertion of a USB drive into a computer connected to the internet, GoldenDealer, which is already present in the system via an unidentified delivery method, activates itself along with an undisclosed worm component, both of which are then copied to the removable device.

It is suspected that the undisclosed component is triggered when the infected USB drive is connected to the air-gapped system, following which GoldenDealer stores information about the machine on the USB drive.

Upon re-insertion of the USB device into the previously mentioned internet-connected machine, GoldenDealer transfers the stored information from the drive to an external server, which then sends appropriate payloads to be executed on the air-gapped system.

The malware is also responsible for duplicating the downloaded executables onto the USB drive. In the final phase, upon reconnection to the air-gapped machine, GoldenDealer retrieves and runs the copied executables.

In parallel, GoldenRobo operates on the internet-connected PC and is capable of taking files from the USB drive and sending them to the attacker-controlled server. The malware, developed in Go, derives its name from the usage of a legitimate Windows tool called robocopy for file copying.

ESET revealed that they have not yet identified a specific module responsible for transferring files from the air-gapped computer back to the USB drive itself.

“The ability to deploy two distinct toolsets for breaching air-gapped networks within just five years demonstrates that GoldenJackal is a sophisticated threat actor that understands the network isolation techniques used by its targets,” Porolli mentioned.