A little-known threat actor tracked as GoldenJackal has been linked to a series of cyber attacks targeting embassies and governmental organizations with an aim to infiltrate air-gapped systems using two disparate bespoke toolsets.
Victims included a South Asian embassy in Belarus and a European Union (E.U.) government organization, Slovak cybersecurity company ESET said.
"The ultimate goal of GoldenJackal seems to be stealing confidential information, especially from high-profile machines that might not be connected to the internet," security researcher Matías Porolli noted in an exhaustive analysis.
GoldenJackal first came to light in May 2023, when Russian security vendor Kaspersky detailed the threat cluster's attacks on government and diplomatic entities in the Middle East and South Asia. The adversary's origins stretch back to at least 2019.
An important characteristic of the intrusions is the use of a worm named JackalWorm that's capable of infecting connected USB drives and delivering a trojan dubbed JackalControl.
While there is insufficient information to conclusively tie the activities to a specific nation-state threat, there is some tactical overlap with malicious tools used in campaigns linked to Turla and MoustachedBouncer, the latter of which has also singled out foreign embassies in Belarus.
ESET said it discovered GoldenJackal artifacts at a South Asian embassy in Belarus in August and September 2019, and again in July 2021. Of particular interest is how the threat actor also managed to deploy a completely revamped toolset between May 2022 and March 2024 against an E.U. government entity.
"With the level of sophistication required, it is quite unusual that in five years, GoldenJackal managed to build and deploy not one, but two separate toolsets designed to compromise air-gapped systems," Porolli pointed out. "This speaks to the resourcefulness of the group."
The attack against the South Asian embassy in Belarus is said to have made use of three different malware families, in addition to JackalControl, JackalSteal, and JackalWorm -
- GoldenDealer, which is used to deliver executables to the air-gapped system via compromised USB drives
- GoldenHowl, a modular backdoor with capabilities to steal files, create scheduled tasks, upload/download files to and from a remote server, and create an SSH tunnel, and
- GoldenRobo, a file collector and data exfiltration tool
The attacks targeting the unnamed government organization in Europe, on the other hand, have been found to rely on an entirely new set of malware tools mostly written in Go. They are engineered to collect files from USB drives, spread malware via USB drives, exfiltrate data, and use some machine servers as staging servers to distribute payloads to other hosts -
- GoldenUsbCopy and its improved successor GoldenUsbGo, which monitor USB drives and copy files for exfiltration
- GoldenAce, which is used to propagate the malware, including a lightweight version of JackalWorm, to other systems (not necessarily those that are air-gapped) using USB drives
- GoldenBlacklist and its Python implementation GoldenPyBlacklist, which are designed to process email messages of interest for subsequent exfiltration
- GoldenMailer, which sends the stolen information to attackers via email, and
- GoldenDrive, which uploads stolen information to Google Drive
It's currently not known as to how GoldenJackal manages to gain initial compromise to breach target environments. However, Kaspersky previously alluded to the possibility of trojanized Skype installers and malicious Microsoft Word documents as entry points.
GoldenDealer, which is already present in a computer connected to the internet and delivered via an as-yet-undetermined mechanism, springs into action when a USB drive is inserted, causing itself and an unknown worm component to be copied into the removable device.
It's suspected that the unknown component is executed when the infected USB drive is connected to the air-gapped system, following which GoldenDealer saves information about the machine to the USB drive.
When the USB device is inserted into the aforementioned internet-connected machine a second time, GoldenDealer passes the information stored in the drive to an external server, which then responds with appropriate payloads to be run on the air-gapped system.
The malware is also responsible for copying the downloaded executables to the USB drive. In the last stage, when the device is connected to the air-gapped machine again, GoldenDealer takes the copied executables and runs them.
For its part, GoldenRobo is also executed on the internet-connected PC and is equipped to take the files from the USB drive and transmit them to the attacker-controlled server. The malware, written in Go, gets its name from the use of a legitimate Windows utility called robocopy to copy the files.
ESET said it has yet to uncover a separate module that takes care of copying the files from the air-gapped computer to the USB drive itself.
"Managing to deploy two separate toolsets for breaching air-gapped networks in only five years shows that GoldenJackal is a sophisticated threat actor aware of network segmentation used by its targets," Porolli said.