GoldenJackal State Hackers Silently Attacking Govts Since 2019

Cyber Security Threat Summary:
Kaspersky recently disclosed the activities of a lesser-known advanced persistent threat group called GoldenJackal. This group has been engaged in espionage against government and diplomatic organizations in Asia since 2019. To maintain a cover presence, the threat actors have been cautious in their operations. They carefully choose their targets and limit the frequency of their attacks, aiming to minimize the risk of detection. Kaspersky, which has been monitoring GoldenJackal since 2020, has revealed that the group is active in Afghanistan, Azerbaijan, Iran, Iraq, Pakistan, and Turkey.

Kaspersky found that GoldenJackal utilizes a customized set of .Net malware tools with diverse functionalities. These tools encompass activities such as credential dumping, data theft, malware deployment, lateral movement, file extraction, and more. The initial payload employed by the group to infect a targeted system is known as Jackal Control. This payload grants the attackers remote access and control over the compromised device. The malware can be executed as a program or a Windows service and possesses the capability to establish persistence by creating Registry keys, Windows scheduled tasks, or Windows services. To receive instructions, the malware communicates with the C2 server through HTTP POST requests. These requests contain encoded commands relating to executing arbitrary programs, exfiltrating files, or fetching additional payloads from the C2 server.

“The second tool used by the hackers is 'JackalSteal,' an implant devoted to data exfiltration from all logical drives on the compromised computer, including remote shares and even newly connected USB drives. The attackers can execute the stealer with arguments determining the targeted file types, paths, sizes, when files were last used, and exclude specific paths that security tools might monitor. All files matching the set parameters are encrypted using AES, RSA, or DES, then compressed with GZIP, and eventually transmitted to the C2 server. The third tool in GoldenJackal's arsenal is 'JackalWorm,' which infects USB drives to spread on potentially other valuable computers. "When the malware detects a removable USB storage device, it will copy itself onto it," reads the Kaspersky report. "It will create a copy of itself on the drive root using the same directory name and change the directory's attribute to "hidden." This will result in the actual directory being hidden and replaced with a copy of the malware with the directory name." To obfuscate its nature and trick the victim into executing it, 'JackalWorm' uses a Windows directory icon on the removable drive. If that happens, the worm will infect the host system, establish persistence by creating a scheduled task, and then wipe its copy from the USB drive. The fourth tool used by the Golden Jackal APT is 'JacklPerInfo,' a basic system information collector with the additional capabilities of identifying and exfiltrating browsing history and credentials stored in web browsers. Serving like a typical info-stealer malware, JacklPerInfo can also exfiltrate files from the Desktop, Documents, Downloads, and AppData\Roaming\Microsoft\Windows\Recent directories. The fifth and final malware tool presented in Kaspersky's report is the 'JackalScreenWatcher,' which is used for snapping screenshots on the infected device. The operators can specify the resolution and image-capturing time intervals, and the tool will send the media to the C2 via HTTP POST requests in the form of encrypted payloads” (Bleeping Computer, 2023).

Security Officer Comments:
The GoldenJackal group primarily focuses on government and diplomatic entities in the Middle East and South Asia. Surprisingly, despite operating for several years, this group has managed to remain relatively unknown. The specific methods used by the APT to infiltrate their targets are undisclosed. Nevertheless, researchers have identified indications of phishing campaigns utilizing malicious documents that leverage the remote template injection technique to exploit the Microsoft Office Follina vulnerability. While limited information is available regarding the APT's specific operational strategies, the observed variety in infection methods, coupled with the utilization of highly advanced malware tools, indicates the sophistication of this threat actor.

Suggested Correction(s):
Researchers at SecureList by Kaspersky have published IOCs associated with the GoldenJackal APT group that can be used for detection:

https://securelist.com/goldenjackal-apt-group/109677/

Link(s):
https://www.bleepingcomputer.com/