Moscow-adjacent GoldenJackal gang strikes air-gapped systems with custom malware

Moscow-adjacent GoldenJackal gang strikes air-gapped systems with custom malware

October 9, 2024 at 07:37PM

The cyberespionage group GoldenJackal hacked air-gapped government and diplomatic PCs using custom malware twice, targeting a European government from May 2022 to March 2024 and a South Asian embassy in 2019. This Russian-speaking group has developed sophisticated tools over several years, employing various infection methods for data theft.

### Meeting Notes Summary

**Incident Overview:**
– GoldenJackal, a cyberespionage APT group, has successfully hacked air-gapped PCs belonging to government and diplomatic entities on at least two occasions, employing two sets of custom malware.

**Timeline:**
– Attacks on a European government organization occurred between May 2022 and March 2024.
– A separate attack on a South Asian embassy in Belarus was noted in 2019.

**Previous Reports:**
– Kaspersky had previously identified a limited number of attacks by GoldenJackal against government and diplomatic groups in the Middle East and South Asia, starting in 2020.

**Malware Characteristics:**
– GoldenJackal utilizes bespoke tools that do not follow the standard attack patterns, suggesting high resourcefulness and sophistication.
– Initial access methods remain undetermined, but Kaspersky reported the use of fake Skype installers and malicious Word documents as infection vectors.

**Key Malware Components:**
1. **GoldenDealer**: Monitors USB device insertion to download executables from a C2 server and execute them on air-gapped systems.
2. **GoldenHowl**: Modular backdoor installed via GoldenDealer.
3. **GoldenRobo**: File stealer malware.
4. **GoldenUsbCopy/GoldenUsbGo**: File-stealing utilities that monitor and interact with USB drives.
5. **GoldenAce**: Distribution tool for propagating executables through USB.
6. **GoldenBlacklist/GoldenPyBlacklist**: Tools for scanning emails and retrieving interesting messages.
7. **GoldenMailer**: Steals files by sending email attachments to attacker-controlled accounts.
8. **GoldenDrive**: Uploads stolen files to Google Drive.

**Technical Insights:**
– GoldenJackal’s malware is written in C# and more recent tools in Go.
– The group shows significant technical capability, with reports indicating they have developed and deployed two separate toolsets designed for air-gapped system compromises over five years.
– Noteworthy is the command-and-control protocol linked to Russian-backed groups, hinting at potential ties to Russian operatives.

**Conclusion:**
– ESET and Kaspersky’s investigations illuminate a highly skilled APT group that poses a significant cyber threat to governmental and diplomatic entities. Their methodologies and the use of custom, sophisticated malware highlight the need for enhanced cybersecurity measures within affected institutions.

Full Article