A recently discovered Advanced Persistent Threat (APT) group named GoldenJackal has been observed targeting governments and diplomatic organizations in the Middle East and South Asia.
According to a new advisory published by Kaspersky today, GoldenJackal has been active since 2019, using tools designed to gain control of victim machines and carry out espionage activities.
“Based on the toolset and behavior of the attackers, we believe that espionage is the primary motivation for the attackers,” explained senior security researcher Giampaolo Dedra.
The company said it has been monitoring GoldenJackal since mid-2020. Investigation revealed that the group was using a fake Skype installer and malicious Word documents as their initial attack vectors.
The fake Skype installer acts as a dropper and contains two resources: the JackalControl Trojan and the legitimate Skype for Business standalone installer.
A malicious Word document exploits the Follina vulnerability by downloading a malicious HTML page using a remote template injection technique.
You can read more about this flaw here: State-sponsored hackers believed to be behind Follina attacks against EU and US
The JackalControl Trojan is the primary malware used by GoldenJackal. This allows an attacker to remotely control a targeted machine using a predefined set of supported commands.
Kaspersky has observed different variants of this malware. Some focus on maintaining persistence, while others run without infecting systems.
The group is also reported to utilize a tool called JackalSteal that monitors removable USB drives, remote shares, and logical drives within targeted systems.
Additionally, in certain cases, we observed GoldenJackal deploying additional tools such as JackalWorm, JackalPerInfo, and JackalScreenWatcher.
“[GoldenJackal]toolkit seems to be under development. The number of variants shows they are still investing in it. The latest malware, JackalWorm, appeared in late 2022 and appears to be still in the testing phase,” Dedora wrote in the advisory.
“This tool was unexpected because, in the last few years, attacks have been limited to a few high-profile organizations, and tools like JackalWorm are probably hard to bind and can easily get out of control. because it has character.”
To reduce the risk of falling victim to targeted attacks, Kaspersky Lab researchers recommend implementing several security measures.
These include providing access to the latest threat intelligence, upskilling cybersecurity teams with specialized training, and implementing endpoint detection and response (EDR) solutions.
