Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Special Features

Cybersecurity Month

Moscow-adjacent GoldenJackal gang strikes air-gapped systems with custom malware

USB sticks help, but it's unclear how tools that suck malware from them are delivered

Jessica Lyons Wed 9 Oct 2024  //  23:31 UTC

A cyberespionage APT crew named GoldenJackal hacked air-gapped PCs belonging to government and diplomatic entities at least twice using two sets of custom malware, according to researchers from antivirus vendor ESET.

The firm’s investigators believe GoldenJackal wields a bespoke toolset it used to breach a government org in Europe between May 2022 and March 2024, and a South Asian embassy in Belarus in 2019.

Previously, Kaspersky reported this same gang conducted a "limited number" of attacks against government and diplomatic groups in the Middle East and South Asia beginning in 2020.

While neither vendor’s researchers attributed GoldenJackal’s exploits to a particular nation, ESET notes that the command-and-control protocol used in one of the malware samples is typically used by Turla, a group backed by Russia's Federal Security Service (FSB). This may point to GoldenJackal’s operatives being Russian speakers.

ESET first spotted the unknown malware being used in the European government attacks in May 2022, and at the time couldn't attribute it to any existing crew.

Further analysis revealed connections between the tools that Kaspersky had documented in May 2023, and eventually allowed ESET to identify the 2019 Belarus embassy attack that used older custom code also capable of breaking into air-gapped systems.

"With the level of sophistication required, it is quite unusual that in five years, GoldenJackal managed to build and deploy not one, but two separate toolsets designed to compromise air-gapped systems" ESET malware researcher Matías Porolli wrote. "This speaks to the resourcefulness of the group."

The gang of cyberspies, according to both security shops, has been active since at least 2019 and codes in C#.

While ESET couldn't determine how GoldenJackal gained initial access to the victim organizations, Kaspersky said the group used fake Skype installers and malicious Word documents. Another infection vector, we're told, used remote template injection to download a malicious HTML page that exploited the Follina vulnerability.

Breaking into air-gapped PCs … twice

The August 2019 attack against the embassy used a set of tools that the researchers say have never again been deployed in an attack.

One component is called “GoldenDealer”, code that watches for the insertion of a USB storage device. If such devices are connected to a PC, this malware can download executables from a C2 server and hide them on removable drives. And on air-gapped machines, it can retrieve additional malware from the USB and then execute it.

Once the USB has been inserted into an air-gapped PC, GoldenDealer then installs a modular backdoor named GoldenHowl and a file stealer named GoldenRobo.

ESET isn’t sure how GoldenDealer makes its way onto a PC in the first place, suggesting “an unknown worm component” is part of the puzzle.

By May 2022, the miscreants had shifted their tactics and malware, writing a new set of tools in Go that provide several capabilities.

These include “GoldenUsbCopy”, which monitors for USBs and then steals files from the removable drives, along with GoldenUsbGo, which appears to be a newer version of GoldenUsbCopy.

Another of the crew’s evilware utilities is called “GoldenAce”, a distribution tool that can propagate other executables and retrieve files via USB drives. “GoldenBlacklist” downloads encrypted archives from local servers, scans email messages and then keeps any that are of interest is also a favorite. So is “GoldenPyBlacklist”, a Python version of the email-scanning tool.

Finally, “GoldenMailer” steals files by sending emails with attachments to attacker-controlled accounts and “GoldenDrive” uploads them to Google Drive.

ESET has also published a full list of indicators of compromise in its GitHub repository. ®
Send us news
24 Comments

Perfctl malware strikes again as crypto-crooks target Docker Remote API servers

Attacks on unprotected servers reach 'critical level'

Pixel perfect Ghostpulse malware loader hides inside PNG image files

Miscreants combine it with an equally tricky piece of social engineering

Belgian cops cuff 2 suspected cybercrooks in Redline, Meta infostealer sting

US also charges an alleged Redline dev, no mention of an arrest

Uncle Sam outs a Russian accused of developing Redline infostealing malware

Or: why using the same iCloud account for malware development and gaming is a bad idea

Dutch cops pwn the Redline and Meta infostealers, leak 'VIP' aliases

Legal proceedings underway with more details to follow

Gang gobbles 15K credentials from cloud and email providers' garbage Git configs

Emeraldwhale looked sharp – until it made a common S3 bucket mistake

Brazen crims selling stolen credit cards on Meta's Threads

The platform 'continues to take action' against illegal posts, we're told

Feds investigate China's Salt Typhoon amid campaign phone hacks

'They're taunting us,' investigator says and it looks like it's working

JPMorgan Chase sues scammers following viral 'infinite money glitch'

ATMs paid customers thousands ... and now the bank wants its money back

Ransomware's ripple effect felt across ERs as patient care suffers

389 US healthcare orgs infected this year alone

Would banning ransomware insurance stop the scourge?

White House official makes case for ending extortion reimbursements

Wanted. Top infosec pros willing to defend Britain on shabby salaries

GCHQ job ads seek top talent with bottom-end pay packets