GoldenJackal APT group, stealth and camouflage adapted from Jackal

A new group called GoldenJackal targets government and diplomatic organizations in the Middle East and South Asia. This group, active for around four years, is highly skilled and difficult to detect. It focuses on countries like Afghanistan, Azerbaijan, Iran, Iraq, Pakistan, and Turkey. They aim to steal data, spread malware through removable drives, and conduct surveillance.

#GoldenJackal has a worm capability to spread and infect systems using removable USB drives.

In the attached pic the removable drive “E:” was infected by the malware, which copied itself as Folder1.exe and changed the attributes of Folder1 to hide it: pic.twitter.com/1EoqhXpcE4

— Eugene Kaspersky (@e_kaspersky) May 23, 2023

The exact origin and affiliation of GoldenJackal are unknown, but their tactics suggest 

• They are motivated by espionage. 
• They operate covertly and strive to remain hidden, indicating a possible state-sponsored connection. 

Interestingly, there are some similarities between GoldenJackal and Turla, a Russian hacking group associated with the government. In some cases, victims were infected by both groups, although two months apart.

Operational blueprints

The initial method used by GoldenJackal to breach targeted computers has yet to be discovered. However, evidence suggests they 

• utilize trojanized Skype installers and malicious Microsoft Word documents. These documents exploit vulnerabilities to deliver malware called JackalControl, allowing attackers to control the infected machines remotely.

GoldenJackal deploys various malware families, including JackalSteal, which searches for and transmits specific files to a remote server, and JackalWorm, which spreads through removable USB drives and installs JackalControl. 

Other malware includes JackalPerInfo, which harvests system information and credentials, and JackalScreenWatcher, which captures screenshots regularly and sends them to the attackers’ server.

A notable aspect of Golden Jackals operations is 

• its use of compromised WordPress sites to forward web requests to its command-and-control (C2) server. This tactic helps them reduce their visibility and limit the number of victims. 
• The group’s toolkit is evolving, as indicated by the presence of multiple variants of their malware.

“We don’t have any evidence of the vulnerabilities used to compromise the sites. However, we did observe that many websites were using obsolete versions of WordPress, and some had also been defaced or infected with previously uploaded web shells, likely due to low-key hacktivist or cybercriminal activity. For this reason, we assess that the vulnerabilities used to breach these websites are known rather than 0-days,” Kaspersky.

What’s the point?

GoldenJackal poses a significant threat to government and diplomatic entities in the targeted regions. Organizations must stay vigilant, update their security measures, and be cautious when interacting with suspicious files or websites.