A little-known threat actor is tracked as Golden jackal has been linked to a series of cyber attacks targeting embassies and government organizations with the aim of penetrate systems with an air gap using two different custom tool sets.
The victims were the embassy of South Asian countries in Belarus and the governmental organization of the European Union (EU), the Slovak cyber security company ESET reported.
“GoldenJackal’s ultimate goal appears to be to steal sensitive information, especially from high-profile machines that may not be connected to the Internet,” security researcher Mathias Paroli. noted in a comprehensive analysis.
Golden jackal was born for the first time in May 2023, when Russian security vendor Kaspersky detailed threat cluster attacks against government and diplomatic organizations in the Middle East and South Asia. The origin of the enemy goes back to at least 2019.
An important characteristic of the intrusions is the use of a worm called JackalWorm, which is capable of infecting connected USB drives and delivering a Trojan called JackalControl.
While there is insufficient information to conclusively link the actions to a specific nation-state threat, there is some tactical overlap with the malicious tools used by campaigns linked to Tower and Mustache thrown awaythe last of which also nominated foreign embassies in Belarus.
ESET said it detected GoldenJackal artifacts at the South Asian embassy in Belarus in August and September 2019 and again in July 2021. Of particular interest is how the threat actor managed to deploy a completely updated toolset between May 2022 and March 2024 v. EU state organization.
“With the level of sophistication required, it is quite extraordinary that in five years GoldenJackal has managed to create and deploy not one, but two separate toolkits designed to compromise air-gapped systems,” noted Poroli. “It speaks to the resourcefulness of the group.”
In addition to JackalControl, JackalSteal and JackalWorm, three different families of malware were used in the attack on the South Asian embassy in Belarus.
- GoldenDealerwhich is used to deliver executable files to an air-gapped system via compromised USB drives
- GoldenHowla modular backdoor capable of stealing files, creating scheduled jobs, uploading/downloading files to and from a remote server, and creating an SSH tunnel, and
- GoldenRoboa tool for collecting files and stealing data
On the other hand, attacks targeting an unnamed government organization in Europe were found to rely on an entirely new set of malware tools, mostly written in Go. They are designed to harvest files from USB drives, spread malware through USB drives, steal data, and use certain server machines as proxy servers to distribute payloads to other hosts –
- GoldenUsbCopy and its improved successor GoldenUsbGowhich monitor USB drives and copy files for hijacking
- GoldenAcewhich is used to spread malware, including a lightweight version of JackalWorm, to other systems (not necessarily those with an air gap) via USB drives
- Golden blacklist and its Python implementation GoldenPy blacklistwhich are designed to process emails of interest for later hijacking
- GoldenMailerwhich sends stolen information to attackers via e-mail
- GoldenDrivewhich uploads the stolen information to Google Drive
It is currently unknown how GoldenJackal manages to obtain the initial compromise to breach the target environment. However, Kaspersky has previously hinted at the possibility of trojanized Skype installers and malicious Microsoft Word documents as entry points.
GoldenDealer, which is already present on a computer connected to the Internet and is delivered via a yet-to-be-determined mechanism, is triggered when a USB drive is inserted, causing it and an unknown worm component to be copied to the removable device.
An unknown component is suspected to be executed when an infected USB drive is plugged into an air-gapped system, after which GoldenDealer stores machine information on the USB drive.
When the USB device is inserted into the aforementioned Internet-connected machine a second time, GoldenDealer transmits the information stored on the drive to an external server, which then responds with the appropriate payload to run on the air-gapped system.
The malware is also responsible for copying the downloaded executable files to the USB drive. At the final stage, when the device is reconnected to the air-gapped machine, GoldenDealer takes the copied executables and runs them.
For its part, GoldenRobo also runs on an Internet-connected PC and is equipped to retrieve files from a USB drive and transfer them to a server controlled by the attacker. The malware, written in Go, got its name from using a legitimate Windows utility called copy to copy the files.
ESET said it has yet to discover a separate module that takes care of copying files from an air-gapped computer to the USB drive itself.
“The successful deployment of two separate air-gap hacking toolsets in just five years suggests that GoldenJackal is a sophisticated threat actor that is aware of the network segmentation used by its targets,” Poroli said.
