Don’t expect any howls: GoldenJackal APT spying on diplomatic entities in Middle East and South Asia
Kaspersky discovered a new APT group. Dubbed GoldenJackal, it has been active since 2019, but has no public profile and has remained largely unknown. As the investigation shows, the group usually targets government and diplomatic entities in the Middle East and South Asia.
Kaspersky began monitoring the group in mid-2020 and observed a consistent of activities, which portray a capable and moderately stealthy actor. The main feature of this group is a specific toolset intended to control the machines of their victims, spread across systems using removable drives, and smuggle certain files from them, suggesting that the actor’s primary motivation is espionage.
As Kaspersky’s investigation shows, the actor used fake Skype installers and malicious Word documents as initial vectors for their attacks. The fake Skype installer was an executable file that was approximately 400 MB in size. It was a dropper containing two resources: the JackalControl Trojan and a legitimate Skype for business standalone installer. The first usage of this tool was tracked back to 2020. Another infection vector was a malicious document that uses the remote template injection technique to download a malicious HTML page, which exploits the Follina vulnerability.
The first page of a malicious document
The document was named “Gallery of Officers Who Have Received National and Foreign Awards.docx” and appears as a legitimate circular requesting the information about officers decorated by Pakistan’s government. The first description of the Follina vulnerability was published on May 29, 2022 and this document appears to have been modified on June 1, two days after publication, and was first detected on June 2.
The document was configured to load an external object from a legitimate and compromised website. Once the external object is downloaded, the executable file is launched, which contains a JackalControl Trojan malware.
JackalControl is the main trojan and it allows the attackers to control the target machine remotely through a set of predefined and supported commands. Over the years the attackers have distributed different variants of this malware: some include code to maintain persistence, others were configured to run without infecting the system. The machine usually gets infected by other components, such as a batch script.
The second important tool usually deployed by GoldenJackal group is a JackalSteal. This tool can be used to monitor removable USB drives, remote shares, and all logical drives in the targeted system. The malware can work as a standard process or as a service. It cannot maintain persistence, so it must be installed by another component.
Finally, GoldenJackal uses a number of additional tools, such as JackalWorm, JackalPerInfo and JackalScreenWatcher. They are deployed in specific cases that were witnessed by Kaspersky researchers. This toolset is aimed at controlling victim’s machines, steal their credentials, take screen captures of the desktop and so on – with the espionage as an ultimate objective.
“GoldenJackal is an interesting APT actor that tries to keep a low profile – despite first kicking off its operation back in June 2019, it managed to stay under the radar. Possessing an advanced malware toolset, it has been quite prolific in its attacks on government and diplomatic entities in the Middle East and Southern Asia. Since some of the malware implants are still in the developing stages, it is crucial for cybersecurity teams to watch out for any possible attacks that might be performed by the actor. We hope that our analysis will help prevent GoldenJackal’s activity,” comments Giampaolo Dedola, senior security researcher at Kaspersky’s Global Research and Analysis Team (GReAT).
Read the full report about the GoldenJackal APT group on Securelist.
In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:
· Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky spanning over 20 years.
· Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts
· For endpoint level detection, investigation, and the timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response
· In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform
· As many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training and teach practical skills to your team – for example, through the Kaspersky Automated Security Awareness Platform