Kaspersky has discovered a new cybercrime group. The group, called GoldenJackal, has been active since 2019 but has no public profile and remains largely a mystery. According to the information obtained from the research, the group mainly targets public and diplomatic institutions in the Middle East and South Asia.
Kaspersky started monitoring GoldenJakal in mid-2020. This group corresponds to a skilled and moderately cloaked threat actor and exhibits a consistent flow of activity. The main feature of the group is that their targets are to hijack computers, spread between systems via removable drives and steal certain files. This shows that the main purposes of the threat actor are espionage.
According to Kaspersky's research, the threat actor uses fake Skype installers and malicious Word documents as initial vectors for attacks. The fake Skype installer consists of an executable file of approximately 400 MB and contains the JackalControl Trojan and a legitimate Skype for Business installer. The first use of this tool dates back to 2020. Another infection vector is based on a malicious document that exploits the Follina vulnerability, using a remote template injection technique to download a purpose-built HTML page.
The document is titled “Gallery of Officers Who Have Received National and Foreign Awards.docx” and appears to be a legitimate circular requesting information about officers awarded by the Pakistani government. Information on the Follina vulnerability was first shared on May 29, 2022, and the document was changed on June 1, two days after the release of the vulnerability, according to the records. The document was first spotted on June 2. Launching the executable containing the JackalControl Trojan malware after downloading the external document object configured to load an external object from a legitimate and compromised website.
JackalControl attack, remotely controlled
The JackalControl attack serves as the main Trojan that allows attackers to remotely control the target machine. Over the years, attackers have been distributing different variants of this malware. Some variants contain additional codes to maintain their permanence, while others are configured to operate without infecting the system. Machines are often infected through other components such as batch scripts.
The second important tool widely used by the GoldenJackal group is JackalSteal. This tool can be used to monitor removable USB drives, remote shares and all logical drives on the targeted system. The malware can run as a standard process or service. However, it cannot maintain its persistence and therefore needs to be loaded by another component.
Finally, GoldenJackal uses a number of additional tools such as JackalWorm, JackalPerInfo, and JackalScreenWatcher. These tools are used in specific situations witnessed by Kaspersky researchers. This toolkit aims to control victims' machines, steal credentials, take screenshots of desktops, and indicate a propensity for espionage as the ultimate target.
Giampaolo Dedola, Senior Security Researcher at Kaspersky Global Research and Analysis Team (GReAT), said:
“GoldenJackal is an interesting APT actor trying to stay out of sight with his low profile. Despite first starting operations in June 2019, they have managed to stay hidden. With an advanced malware toolkit, this actor has been highly prolific in his attacks on public and diplomatic organizations in the Middle East and South Asia. As some of the malware embeds are still in development, it is crucial for cybersecurity teams to keep an eye out for possible attacks by this actor. We hope our analysis will help prevent GoldenJackal's activities.”