Close Menu
Indo Guard OnlineIndo Guard Online
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
What's Hot

The United States seizes $ 7.74 million with a crystallian -related IT workers of North Korea

June 16, 2025

Anubis Ransomware encrypts files and napkins, making recovery impossible even after payment

June 16, 2025

Turning Cybersecurity Practice into Mrr Machine

June 16, 2025
Facebook X (Twitter) Instagram
Facebook X (Twitter) Instagram YouTube
Indo Guard OnlineIndo Guard Online
Subscribe
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
Indo Guard OnlineIndo Guard Online
Home » GoldenJackal targets embassies and vulnerable systems using malware toolkits
Global Security

GoldenJackal targets embassies and vulnerable systems using malware toolkits

AdminBy AdminOctober 8, 2024No Comments5 Mins Read
Air-Gapped Systems Using Malware Toolsets
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link


October 8, 2024Ravi LakshmananCyber ​​attack / malware

Airgapped systems using malware toolkits

A little-known threat actor is tracked as Golden jackal has been linked to a series of cyber attacks targeting embassies and government organizations with the aim of penetrate systems with an air gap using two different custom tool sets.

The victims were the embassy of South Asian countries in Belarus and the governmental organization of the European Union (EU), the Slovak cyber security company ESET reported.

“GoldenJackal’s ultimate goal appears to be to steal sensitive information, especially from high-profile machines that may not be connected to the Internet,” security researcher Mathias Paroli. noted in a comprehensive analysis.

Golden jackal was born for the first time in May 2023, when Russian security vendor Kaspersky detailed threat cluster attacks against government and diplomatic organizations in the Middle East and South Asia. The origin of the enemy goes back to at least 2019.

An important characteristic of the intrusions is the use of a worm called JackalWorm, which is capable of infecting connected USB drives and delivering a Trojan called JackalControl.

Cyber ​​security

While there is insufficient information to conclusively link the actions to a specific nation-state threat, there is some tactical overlap with the malicious tools used by campaigns linked to Tower and Mustache thrown awaythe last of which also nominated foreign embassies in Belarus.

ESET said it detected GoldenJackal artifacts at the South Asian embassy in Belarus in August and September 2019 and again in July 2021. Of particular interest is how the threat actor managed to deploy a completely updated toolset between May 2022 and March 2024 v. EU state organization.

Systems with an air gap

“With the level of sophistication required, it is quite extraordinary that in five years GoldenJackal has managed to create and deploy not one, but two separate toolkits designed to compromise air-gapped systems,” noted Poroli. “It speaks to the resourcefulness of the group.”

In addition to JackalControl, JackalSteal and JackalWorm, three different families of malware were used in the attack on the South Asian embassy in Belarus.

  • GoldenDealerwhich is used to deliver executable files to an air-gapped system via compromised USB drives
  • GoldenHowla modular backdoor capable of stealing files, creating scheduled jobs, uploading/downloading files to and from a remote server, and creating an SSH tunnel, and
  • GoldenRoboa tool for collecting files and stealing data
Systems with an air gap

On the other hand, attacks targeting an unnamed government organization in Europe were found to rely on an entirely new set of malware tools, mostly written in Go. They are designed to harvest files from USB drives, spread malware through USB drives, steal data, and use certain server machines as proxy servers to distribute payloads to other hosts –

  • GoldenUsbCopy and its improved successor GoldenUsbGowhich monitor USB drives and copy files for hijacking
  • GoldenAcewhich is used to spread malware, including a lightweight version of JackalWorm, to other systems (not necessarily those with an air gap) via USB drives
  • Golden blacklist and its Python implementation GoldenPy blacklistwhich are designed to process emails of interest for later hijacking
  • GoldenMailerwhich sends stolen information to attackers via e-mail
  • GoldenDrivewhich uploads the stolen information to Google Drive

It is currently unknown how GoldenJackal manages to obtain the initial compromise to breach the target environment. However, Kaspersky has previously hinted at the possibility of trojanized Skype installers and malicious Microsoft Word documents as entry points.

GoldenDealer, which is already present on a computer connected to the Internet and is delivered via a yet-to-be-determined mechanism, is triggered when a USB drive is inserted, causing it and an unknown worm component to be copied to the removable device.

Cyber ​​security

An unknown component is suspected to be executed when an infected USB drive is plugged into an air-gapped system, after which GoldenDealer stores machine information on the USB drive.

When the USB device is inserted into the aforementioned Internet-connected machine a second time, GoldenDealer transmits the information stored on the drive to an external server, which then responds with the appropriate payload to run on the air-gapped system.

The malware is also responsible for copying the downloaded executable files to the USB drive. At the final stage, when the device is reconnected to the air-gapped machine, GoldenDealer takes the copied executables and runs them.

For its part, GoldenRobo also runs on an Internet-connected PC and is equipped to retrieve files from a USB drive and transfer them to a server controlled by the attacker. The malware, written in Go, got its name from using a legitimate Windows utility called copy to copy the files.

ESET said it has yet to discover a separate module that takes care of copying files from an air-gapped computer to the USB drive itself.

“The successful deployment of two separate air-gap hacking toolsets in just five years suggests that GoldenJackal is a sophisticated threat actor that is aware of the network segmentation used by its targets,” Poroli said.

Did you find this article interesting? Follow us Twitter  and LinkedIn to read more exclusive content we publish.





Source link

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Admin
  • Website

Related Posts

The United States seizes $ 7.74 million with a crystallian -related IT workers of North Korea

June 16, 2025

Anubis Ransomware encrypts files and napkins, making recovery impossible even after payment

June 16, 2025

Turning Cybersecurity Practice into Mrr Machine

June 16, 2025

Malicious Pypi Masquerade Package as chimera module for theft Aws, CI/CD and MacOS

June 16, 2025

Invitation to Disagreement Link from ASYNCRAT and SKULD Theft, focused on cry

June 14, 2025

More than 269 000 sites infected with malicious JSFiretruC JavaScript software in one month

June 13, 2025
Add A Comment
Leave A Reply Cancel Reply

Loading poll ...
Coming Soon
Do You Like Our Website
: {{ tsp_total }}

Subscribe to Updates

Get the latest security news from Indoguardonline.com

Latest Posts

The United States seizes $ 7.74 million with a crystallian -related IT workers of North Korea

June 16, 2025

Anubis Ransomware encrypts files and napkins, making recovery impossible even after payment

June 16, 2025

Turning Cybersecurity Practice into Mrr Machine

June 16, 2025

Malicious Pypi Masquerade Package as chimera module for theft Aws, CI/CD and MacOS

June 16, 2025

Invitation to Disagreement Link from ASYNCRAT and SKULD Theft, focused on cry

June 14, 2025

More than 269 000 sites infected with malicious JSFiretruC JavaScript software in one month

June 13, 2025

Transition from Monitoring Alert to Risk Measurement

June 13, 2025

Band

June 13, 2025
About Us
About Us

Provide a constantly updating feed of the latest security news and developments specific to Indonesia.

Facebook X (Twitter) Pinterest YouTube WhatsApp
Our Picks

The United States seizes $ 7.74 million with a crystallian -related IT workers of North Korea

June 16, 2025

Anubis Ransomware encrypts files and napkins, making recovery impossible even after payment

June 16, 2025

Turning Cybersecurity Practice into Mrr Machine

June 16, 2025
Most Popular

In Indonesia, crippling immigration ransomware breach sparks privacy crisis

July 6, 2024

Why Indonesia’s Data Breach Crisis Calls for Better Security

July 6, 2024

Indonesia’s plan to integrate 27,000 govt apps in one platform welcomed but data security concerns linger

July 6, 2024
© 2025 indoguardonline.com
  • Home
  • About us
  • Contact us
  • Privacy Policy

Type above and press Enter to search. Press Esc to cancel.