Source URL: https://www.theregister.com/2024/10/09/goldenjackal_custom_malware/
Source: The Register
Title: Moscow-adjacent GoldenJackal gang strikes air-gapped systems with custom malware
Feedly Summary: USB sticks help, but it’s unclear how tools that suck malware from them are delivered
A cyberespionage APT crew named GoldenJackal hacked air-gapped PCs belonging to government and diplomatic entities at least twice using two sets of custom malware, according to researchers from antivirus vendor ESET.…
AI Summary and Description: Yes
**Summary:** The text describes a sophisticated cyberespionage campaign by a group named GoldenJackal, which successfully hacked air-gapped systems belonging to government and diplomatic entities using custom malware. The report sheds light on the group’s resourcefulness, the evolution of their toolsets, and the methodologies employed for infiltrating high-security environments. This information is particularly relevant to security professionals focused on threat detection and response strategies.
**Detailed Description:**
The article discusses the activities of a cyberespionage group known as GoldenJackal and highlights a series of sophisticated attacks targeting air-gapped systems associated with government and diplomatic organizations. Here are the main points:
– **Attacks Overview:**
– GoldenJackal has breached air-gapped PCs belonging to government and diplomatic entities at least twice, employing two different sets of custom malware.
– Investigations reveal attacks on a government organization in Europe between May 2022 and March 2024 and on a South Asian embassy in Belarus in 2019.
– **Resourcefulness and Sophistication:**
– ESET researchers emphasize the sophistication of GoldenJackal, noting that it is unusual for a group to deploy multiple toolsets designed to compromise air-gapped systems over a span of five years.
– The group is believed to be resourceful, capable of developing bespoke toolsets for their operations.
– **Malware and Techniques:**
– Early malware identified during the 2019 embassy attack included a component called “GoldenDealer,” which monitors USB devices, retrieves additional malware, and executes it on air-gapped machines.
– In May 2022, newer malware written in Go was observed, showcasing a shift in tactics and capabilities, including tools for file theft and malware distribution.
– **Infection Vectors:**
– GoldenJackal is thought to have gained initial access to target systems through fake Skype installers, malicious Word documents, and the exploitation of the Follina vulnerability via remote template injection.
– **Evolution of Malware Tools:**
– The report outlines a comprehensive list of tools used by GoldenJackal, including:
– **GoldenUsbCopy:** Monitors USB devices and steals files.
– **GoldenAce:** Distributes malware and retrieves files via USB.
– **GoldenBlacklist & GoldenPyBlacklist:** Scans and retains interesting email messages.
– **GoldenMailer:** Sends stolen files to attacker-controlled email accounts.
– **GoldenDrive:** Uploads files to Google Drive.
– **Indicators of Compromise:** ESET has published a full list of indicators of compromise related to GoldenJackal’s activities on its GitHub repository, aiding other cybersecurity professionals in identifying threats.
**Implications for Security Professionals:**
– The evolution of GoldenJackal’s malware and their targeted strategies underscore the importance of continuous monitoring for advanced persistent threats (APTs) and the need for layered security measures in both government and private sectors.
– Understanding methods for infiltrating air-gapped systems can drive improvements in security protocols tailored for high-security environments.
– Organizations should prioritize incident response capabilities and develop comprehensive threat intelligence programs to stay ahead of such sophisticated cyber espionage efforts.