Summary:
The advanced persistent threat (APT) group known as 'GoldenJackal' has been conducting espionage activities targeting government and diplomatic entities in Asia since 2019. Researchers have been monitoring GoldenJackal since 2020 and recently reported increased activity in Afghanistan, Azerbaijan, Iran, Iraq, Pakistan, and Turkey. GoldenJackal, an APT group active for several years, primarily focuses on government and diplomatic entities in the Middle East and South Asia. Despite its prolonged operations, GoldenJackal has remained relatively unknown and has not received public attention until now. The APT group's precise infectious vectors are unclear.
Researchers have found evidence of phishing attacks utilising malicious documents that use remote template injection to take advantage of the Microsoft Office Follina vulnerability. Researchers discovered a situation in which malicious "Skype for Business" installers were used, dispersing a trojan alongside a genuine copy of the software. Each of the custom.NET malware tools used by GoldenJackal has a specific function, such as credential dumping, data theft, malware loading, lateral movement, or file exfiltration. The main payload, 'JackalControl,' gives the attackers remote control of the infected computer. Persistence is achieved by adding registry keys, Windows scheduled tasks, or Windows services, and it can run as a programme or a Windows service. The C2 server uses HTTP POST requests to convey encoded commands to the malware, enabling the execution of arbitrary code, file exfiltration, or the retrieval of additional payloads.
The second tool used by GoldenJackal is 'JackalSteal,' which is intended for data exfiltration from all logical drives on the compromised system, including remote shares and newly connected USB devices. Attackers can exclude monitored paths from the configuration of the stealer while setting particular parameters for targeted file types, paths, sizes, and timestamps. The matched files are delivered to the C2 server compressed using GZIP and encrypted with AES, RSA, or DES.
The third tool used by GoldenJackal to infect USB sticks and spread to other potentially expensive systems is called "JackalWorm." The malware hides the original directory and replaces it with a hidden copy of the malware with the same name when a removable USB storage device is found. 'JackalWorm' employs a Windows directory icon to trick the victim and incite execution. After infecting the host machine, the worm creates persistence using a scheduled task and deletes a copy of itself from the USB device.
The fourth tool, 'JacklPerInfo,' is a basic system information collector that can also gather browsing history and credentials from web browsers. This information-stealing malware exfiltrates files from directories such as Desktop, Documents, and Downloads, and the final malware tool, 'JackalScreenWatcher,' captures screenshots on the infected device based on specified resolution and time intervals. The tool then encrypts the screenshots and sends them to the C2 server via HTTP POST requests.
GoldenJackal conducts long-term espionage operations, employing a sophisticated set of custom tools against a limited number of carefully chosen victims. Although specific operational details remain undisclosed, the diversity of observed infection chains and the capabilities of their malware tools leave no doubt about the advanced nature of this threat actor.
Threat Profile:
References:
The following reports contain further technical details: