Mind the (air) gap: GoldenJackal Targets Government Systems
New insights into GoldenJackal’s sophisticated toolsets, which have been used to carry out cyberespionage activities across Europe, South Asia, and the Middle East since 2019.
Introduction
On October 7, 2024, ESET Research published a detailed analysis of GoldenJackal, an advanced persistent threat (APT) group, and their efforts to breach air-gapped government systems. The report, authored by Matías Porolli, presents new insights into GoldenJackal’s sophisticated toolsets, which have been used to carry out cyberespionage activities across Europe, South Asia, and the Middle East since 2019.
Report Overview
The campaign attributed to GoldenJackal spans from May 2022 to March 2024 and primarily targets government and diplomatic entities. The group's focus is on breaching air-gapped systems—networks that are isolated from the internet for security purposes—to exfiltrate sensitive information. ESET's research highlights two previously undocumented toolsets used by GoldenJackal, revealing an intricate strategy to maintain persistence and gather intelligence.
The first toolset was observed targeting a South Asian embassy in Belarus in 2019. The attack featured custom tools such as GoldenDealer, GoldenHowl, and GoldenRobo, specifically developed to breach air-gapped systems via infected USB drives. The second toolset, deployed between May 2022 and March 2024, showcased a highly modular approach. It involved various components, each playing a distinct role in file collection, distribution, and exfiltration across a compromised network.
Technical Breakdown
ESET's analysis describes in detail the components of GoldenJackal's toolsets:
- GoldenDealer: Delivers executable payloads to air-gapped systems through USB drives, relying on automated processes to reduce the need for user interaction.
- GoldenHowl: A modular backdoor written in Python, capable of multiple malicious activities, including data collection, system information gathering, and command execution.
- GoldenRobo: Focuses on file exfiltration, using the Robocopy utility to gather specific file types from compromised systems.
The more recent toolset saw the introduction of tools like GoldenUsbCopy and GoldenAce, emphasizing a modular design that allowed GoldenJackal to maximize the effectiveness of their attacks, minimizing detection and maintaining control over compromised networks.
Insights and Analysis
GoldenJackal’s campaigns have impacted several governmental organizations across Europe and South Asia. Their toolsets allow them to collect confidential documents from high-value targets that are not connected to the internet, indicating that their primary goal is espionage. While no definitive nation-state sponsorship has been attributed to GoldenJackal, certain characteristics, such as similarities to malware used by Russian-speaking APTs, hint at potential origins.
Mitigation Measures
For organizations looking to protect themselves from similar threats, especially those involving air-gapped systems, ESET recommends stringent physical security controls for all removable media, consistent software updates, and vigilant monitoring of network connections. Threat intelligence feeds and regular security audits are also vital for defending against sophisticated threats like GoldenJackal.
For more technical details on the tools used by GoldenJackal and indicators of compromise (IoCs), readers can refer to ESET's report. Maintaining awareness and understanding the evolving tactics of APT groups is crucial for staying ahead of potential breaches.
GoldenJackal’s persistent attacks on air-gapped systems highlight the need for organizations to remain vigilant, particularly in securing isolated networks. Stay informed on the latest threat research to better protect your infrastructure.
Indicators of Compromise (IoCs)
| SHA-1 | Filename | Detection | Description |
|---|---|---|---|
| DA9562F5268FA61D19648DFF9C6A57FB8AB7B0D7 | winaero.exe | Win32/Agent.AGKQ | GoldenDealer. |
| 5F12FFD272AABC0D5D611D18812A196A6EA2FAA9 | 1102720677 | Python/Agent.ANA, Python/HackTool.Agent.W, Python/Riskware.LdapDump.A, Python/Riskware.Impacket.C | GoldenHowl. |
| 6DE7894F1971FDC1DF8C4E4C2EDCC4F4489353B6 | OfficeAutoComplete.exe | WinGo/Agent.AAO | GoldenRobo. |
| 7CB7C3E98CAB2226F48BA956D3BE79C52AB62140 | prinntfy.dll | WinGo/DataStealer.A | GoldenUsbCopy. |
| 8F722EB29221C6EAEA9A96971D7FB78DAB2AD923 | zUpdater.exe | WinGo/Spy.Agent.AH | GoldenUsbGo. |
| 24FBCEC23E8B4B40FEA188132B0E4A90C65E3FFB | fc.exe | WinGo/DataStealer.C | GoldenAce. |
| A87CEB21EF88350707F278063D7701BDE0F8B6B7 | upgrade | MSIL/Agent.WPJ | JackalWorm – simpler version. |
| 9CBE8F7079DA75D738302D7DB7E97A92C4DE5B71 | fp.exe | WinGo/Spy.Agent.CA | GoldenBlacklist. |
| 9083431A738F031AC6E33F0E9133B3080F641D90 | fp.exe | Python/TrojanDownloader.Agent.YO | GoldenPyBlacklist. |
| C830EFD843A233C170285B4844C5960BA8381979 | cb.exe | Python/Agent.ALE | GoldenMailer. |
| F7192914E00DD0CE31DF0911C073F522967C6A97 | GoogleUpdate.exe | WinGo/Agent.YH | GoldenDrive. |
| B2BAA5898505B32DF7FE0A7209FC0A8673726509 | fp.exe | Python/Agent.ALF | Python HTTP server. |
| IP Address | Domain | Hosting Provider | First Seen | Details |
| 83.24.9[.]124 | N/A | Orange Polska Spolka Akcyjna | 2019‑08‑09 | Primary C&C server used by GoldenJackal in 2019. |
| 196.29.32[.]210 | N/A | UTANDE | 2019‑08‑09 | Secondary C&C server used by GoldenJackal in 2019. |
| N/A | assistance[.]uz | N/A | 2019‑09‑25 | Compromised website used to download malware. |
| N/A | thehistore[.]com | N/A | 2019‑09‑25 | Compromised website used as a C&C server. |
| N/A | xgraphic[.]ro | N/A | 2019‑09‑25 | Compromised website used as a C&C server. |
| Email Address |
| mariaalpane@outlook[.]com |
| katemarien087@outlook[.]com |
| spanosmitsotakis@outlook[.]com |
MITRE ATT&CK Techniques
| Tactic | Technique | ID | Description |
| Resource Development | Acquire Infrastructure: Virtual Private Server | T1583.003 | GoldenJackal probably acquired a VPS server to use as a secondary C&C server for the GoldenDealer malware. |
| Resource Development | Acquire Infrastructure: Server | T1583.004 | GoldenJackal likely acquired a server to use as a primary C&C server for the GoldenDealer malware. |
| Resource Development | Compromise Infrastructure: Web Services | T1584.006 | GoldenJackal has used compromised WordPress sites for C&C infrastructure, used by the JackalControl and JackalSteal malware. |
| Resource Development | Develop Capabilities: Malware | T1587.001 | GoldenJackal develops its own custom malware. |
| Resource Development | Establish Accounts: Cloud Accounts | T1585.003 | GoldenJackal has used Google Drive to store exfiltrated files and legitimate tools. |
| Resource Development | Obtain Capabilities: Tool | T1588.002 | GoldenJackal uses legitimate tools, such as Plink and PsExec, for post-compromise operations. |
| Execution | Command and Scripting Interpreter: PowerShell | T1059.001 | GoldenJackal executed PowerShell scripts to download the JackalControl malware from a compromised WordPress website. |
| Execution | Command and Scripting Interpreter: Windows Command Shell | T1059.003 | GoldenAce uses cmd.exe to run a batch script to execute other malicious components. |
| Execution | Command and Scripting Interpreter: Python | T1059.006 | GoldenHowl contains various malicious modules that are Python scripts. |
| Execution | Native API | T1106 | GoldenDealer can copy and run an executable file with the CreateProcessW API. |
| Execution | System Services: Service Execution | T1569.002 | GoldenDealer can run as a service. |
| Execution | User Execution: Malicious File | T1204.002 | JackalWorm uses a folder icon to entice a potential victim to launch it. |
| Persistence | Create or Modify System Process: Windows Service | T1543.003 | GoldenDealer creates the service NetDnsActivatorSharing to persist on a compromised system. |
| Persistence | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | T1547.001 | If GoldenDealer fails to create a service for persistence, an entry in a Run registry key is created instead. |
| Persistence | Scheduled Task/Job: Scheduled Task | T1053.005 | GoldenHowl creates the scheduled task Microsoft\Windows\Multimedia\SystemSoundsService2 for persistence. |
| Defense Evasion | Hide Artifacts: Hidden Files and Directories | T1564.001 | GoldenDealer modifies the registry so that hidden files and directories are not shown in Windows Explorer. GoldenDealer, GoldenAce, and JackalWorm create hidden folders on USB drives. |
| Defense Evasion | Indicator Removal: File Deletion | T1070.004 | GoldenAce deletes payloads after they are run. GoldenBlacklist and GoldenPyBlacklist delete intermediate files after the final archives are generated. |
| Defense Evasion | Masquerading: Match Legitimate Name or Location | T1036.005 | GoldenUsbCopy uses a legitimate Firefox directory C:\Users<username>\AppData\Roaming\Mozilla\Firefox\ to stage files. |
| Defense Evasion | Masquerading: Masquerade File Type | T1036.008 | JackalWorm uses a folder icon to disguise itself as a non-executable file. |
| Defense Evasion | Modify Registry | T1112 | GoldenDealer modifies the registry so that hidden files and directories are not shown in Windows Explorer. |
| Defense Evasion | Obfuscated Files or Information: Encrypted/Encoded File | T1027.013 | GoldenJackal uses various encryption algorithms in its toolset, such as XOR, Fernet, and AES, to encrypt configuration files and files to be exfiltrated. |
| Credential Access | Unsecured Credentials: Credentials In Files | T1552.001 | GoldenUsbGo looks for files with filenames that are usually associated with credentials. |
| Credential Access | Unsecured Credentials: Private Keys | T1552.004 | GoldenUsbGo looks for files that may contain private keys, such as those with filenames that contain id_rsa. |
| Discovery | Account Discovery: Local Account | T1087.001 | GoldenDealer collects information about all user accounts on a compromised system. |
| Discovery | File and Directory Discovery | T1083 | GoldenHowl has a module to generate a |
References
Matías Porolli
Comments ()