Muscat: Kaspersky discovered a new cybercriminal group. Dubbed GoldenJackal, it has been active since 2019, but has had no public profile and has remained largely unknown. As the investigation shows, the group usually targets government and diplomatic entities in the Middle East and South Asia.
Kaspersky began monitoring the group in mid-2020 and observed a consistent flow of activities, which portray a capable and moderately stealthy actor. The main feature of this group is a specific toolset intended to control the machines of their victims, spread across systems using removable drives, and smuggle certain files from them, suggesting that the actor’s primary goal is espionage.
As Kaspersky’s investigation shows, the actor used fake Skype installers and malicious Word documents as initial vectors for their attacks. The fake Skype installer was an executable file that was approximately 400 MB in size. It was a dropper containing two resources: the JackalControl Trojan and a legitimate Skype for business standalone installer. The first usage of this tool was tracked back to 2020. Another infection vector was a malicious document that uses the remote template injection technique to download a malicious HTML page, which exploits the Follina vulnerability.
The first page of the malicious document
The document was named “Gallery of Officers Who Have Received National and Foreign Awards.docx” and appears as a legitimate circular requesting the information about officers decorated by a government. The first description of the Follina vulnerability was published on May 29, 2022 and this document appears to have been modified on June 1, two days after the publication, and was first detected on June 2.
The document was configured to load an external object from a legitimate and compromised website. Once the external object is downloaded, the executable file is launched, which contains the JackalControl Trojan malware.
JackalControl is the main trojan and it allows the attackers to control the target machine remotely through a set of predefined and supported commands. Over the years the attackers have distributed different variants of this malware: some include code to maintain persistence, others were configured to run without infecting the system. The machine usually gets infected by other components, such as a batch script.
The second important tool usually deployed by the GoldenJackal group is a JackalSteal. This tool can be used to monitor removable USB drives, remote shares, and all logical drives in the targeted system. The malware can work as a standard process or as a service. It cannot maintain persistence, so it must be installed by another component.
Finally, GoldenJackal uses a number of additional tools, such as JackalWorm, JackalPerInfo and JackalScreenWatcher. They are deployed in specific cases that were witnessed by Kaspersky researchers. This toolset is aimed at controlling victims’ machines, stealing their credentials, taking screen shots of the desktop and so on – with espionage as an ultimate objective.
“GoldenJackal is an interesting APT actor that tries to keep a low profile – despite first kicking off its operation back in June 2019, it managed to stay under the radar. Possessing an advanced malware toolset, it has been quite prolific in its attacks on government and diplomatic entities in the Middle East and Southern Asia. Since some of the malware implants are still in the developing stages, it is crucial for cybersecurity teams to watch out for any possible attacks that might be performed by the actor. We hope that our analysis will help prevent GoldenJackal’s activity,” comments Giampaolo Dedola, senior security researcher at Kaspersky’s Global Research and Analysis Team (GReAT).