Connect with us

Hi, what are you looking for?

HEADLINES

GoldenJackal APT spying on diplomatic entities in Middle East and South Asia

Kaspersky began monitoring the group in mid-2020 and observed a consistent of activities, which portray a capable and moderately stealthy actor. The main feature of this group is a specific toolset intended to control the machines of their victims, spread across systems using removable drives, and smuggle certain files from them, suggesting that the actor’s primary motivation is espionage.

Kaspersky discovered a new APT group. Dubbed GoldenJackal, it has been active since 2019, but has no public profile and has remained largely unknown. As the investigation shows, the group usually targets government and diplomatic entities in the Middle East and South Asia. 

Kaspersky began monitoring the group in mid-2020 and observed a consistent of activities, which portray a capable and moderately stealthy actor. The main feature of this group is a specific toolset intended to control the machines of their victims, spread across systems using removable drives, and smuggle certain files from them, suggesting that the actor’s primary motivation is espionage.

As Kaspersky’s investigation shows, the actor used fake Skype installers and malicious Word documents as initial vectors for their attacks. The fake Skype installer was an executable file that was approximately 400 MB in size. It was a dropper containing two resources: the JackalControl Trojan and a legitimate Skype for business standalone installer. The first usage of this tool was tracked back to 2020. Another infection vector was a malicious document that uses the remote template injection technique to download a malicious HTML page, which exploits the Follina vulnerability.

The document was named “Gallery of Officers Who Have Received National and Foreign Awards.docx” and appears as a legitimate circular requesting the information about officers decorated by Pakistan’s government. The first description of the Follina vulnerability was published on May 29, 2022 and this document appears to have been modified on June 1, two days after publication, and was first detected on June 2.

Advertisement. Scroll to continue reading.

The document was configured to load an external object from a legitimate and compromised website. Once the external object is downloaded, the executable file is launched, which contains a JackalControl Trojan malware. 

JackalControl is the main trojan and it allows the attackers to control the target machine remotely through a set of predefined and supported commands. Over the years the attackers have distributed different variants of this malware: some include code to maintain persistence, others were configured to run without infecting the system. The machine usually gets infected by other components, such as a batch script.

The second important tool usually deployed by the GoldenJackal group is a JackalSteal. This tool can be used to monitor removable USB drives, remote shares, and all logical drives in the targeted system. The malware can work as a standard process or as a service. It cannot maintain persistence, so it must be installed by another component. 

Finally, GoldenJackal uses a number of additional tools, such as JackalWorm, JackalPerInfo and JackalScreenWatcher. They are deployed in specific cases that were witnessed by Kaspersky researchers. This toolset is aimed at controlling victim’s machines, stealing their credentials, taking screen captures of the desktop and so on – with espionage as an ultimate objective.

“GoldenJackal is an interesting APT actor that tries to keep a low profile – despite first kicking off its operation back in June 2019, it managed to stay under the radar. Possessing an advanced malware toolset, it has been quite prolific in its attacks on government and diplomatic entities in the Middle East and Southern Asia. Since some of the malware implants are still in the developing stages, it is crucial for cybersecurity teams to watch out for any possible attacks that might be performed by the actor. We hope that our analysis will help prevent GoldenJackal’s activity,” comments Giampaolo Dedola, senior security researcher at Kaspersky’s Global Research and Analysis Team (GReAT).

Advertisement. Scroll to continue reading.

In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:

  • Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky spanning over 20 years. 
  • Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts
  • For endpoint level detection, investigation, and the timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response
  • In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform
  • As many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training and teach practical skills to your team – for example, through the Kaspersky Automated Security Awareness Platform

Advertisement
Advertisement
Advertisement

Like Us On Facebook

You May Also Like

HEADLINES

Some of the most common online transactions include paying bills, making online purchases, and conducting banking activities. With the convenience of digital platforms, people...

HEADLINES

By adding random user data to the database or using a fake QR code, a nefarious actor can easily bypass the verification process and...

HEADLINES

During Sophos X-Ops' investigation, which began in 2023, the managed detection and response (MDR) team found three distinct clusters of activity targeting the same...

HEADLINES

Customers can now choose one of three product tiers tailored to their business requirements, the complexity of their IT infrastructure, and their available resources

HEADLINES

Fraudsters have been spreading fake links on social media, enticing mobile users to register. Once clicked, these fake URLs lead to blogs filled with...

HEADLINES

With this new capability, users will now get an “[Item] Found Moving With You” alert on their device if an unknown Bluetooth tracking device...

APPS

Today, the App Store stands at the forefront of app distribution, setting the standard for security, reliability, and user experience.

HEADLINES

Kaspersky has detected and blocked over 13 million web threats from its security solutions for businesses in Southeast Asia (SEA). Historical data from the...

Advertisement