Moscow-adjacent GoldenJackal gang strikes air-gapped systems with custom malware

USB sticks help, but it's unclear how tools that suck malware from them are delivered

A cyberespionage APT crew named GoldenJackal hacked air-gapped PCs belonging to government and diplomatic entities at least twice using two sets of custom malware, according to researchers from antivirus vendor ESET.

The firm’s investigators believe GoldenJackal wields a bespoke toolset it used to breach a government org in Europe between May 2022 and March 2024, and a South Asian embassy in Belarus in 2019.

Previously, Kaspersky reported this same gang conducted a "limited number" of attacks against government and diplomatic groups in the Middle East and South Asia beginning in 2020.

While neither vendor’s researchers attributed GoldenJackal’s exploits to a particular nation, ESET notes that the command-and-control protocol used in one of the malware samples is typically used by Turla, a group backed by Russia's Federal Security Service (FSB). This may point to GoldenJackal’s operatives being Russian speakers.

ESET first spotted the unknown malware being used in the European government attacks in May 2022, and at the time couldn't attribute it to any existing crew.

Further analysis revealed connections between the tools that Kaspersky had documented in May 2023, and eventually allowed ESET to identify the 2019 Belarus embassy attack that used older custom code also capable of breaking into air-gapped systems.

"With the level of sophistication required, it is quite unusual that in five years, GoldenJackal managed to build and deploy not one, but two separate toolsets designed to compromise air-gapped systems" ESET malware researcher Matías Porolli wrote. "This speaks to the resourcefulness of the group."

The gang of cyberspies, according to both security shops, has been active since at least 2019 and codes in C#.

While ESET couldn't determine how GoldenJackal gained initial access to the victim organizations, Kaspersky said the group used fake Skype installers and malicious Word documents. Another infection vector, we're told, used remote template injection to download a malicious HTML page that exploited the Follina vulnerability.

Breaking into air-gapped PCs … twice

The August 2019 attack against the embassy used a set of tools that the researchers say have never again been deployed in an attack.

One component is called “GoldenDealer”, code that watches for the insertion of a USB storage device. If such devices are connected to a PC, this malware can download executables from a C2 server and hide them on removable drives. And on air-gapped machines, it can retrieve additional malware from the USB and then execute it.

Once the USB has been inserted into an air-gapped PC, GoldenDealer then installs a modular backdoor named GoldenHowl and a file stealer named GoldenRobo.

ESET isn’t sure how GoldenDealer makes its way onto a PC in the first place, suggesting “an unknown worm component” is part of the puzzle.

By May 2022, the miscreants had shifted their tactics and malware, writing a new set of tools in Go that provide several capabilities.

These include “GoldenUsbCopy”, which monitors for USBs and then steals files from the removable drives, along with GoldenUsbGo, which appears to be a newer version of GoldenUsbCopy.

Another of the crew’s evilware utilities is called “GoldenAce”, a distribution tool that can propagate other executables and retrieve files via USB drives. “GoldenBlacklist” downloads encrypted archives from local servers, scans email messages and then keeps any that are of interest is also a favorite. So is “GoldenPyBlacklist”, a Python version of the email-scanning tool.

Finally, “GoldenMailer” steals files by sending emails with attachments to attacker-controlled accounts and “GoldenDrive” uploads them to Google Drive.

ESET has also published a full list of indicators of compromise in its GitHub repository. ®

More about

TIP US OFF

Send us news


Other stories you might like