GoldenJackal: Newly unveiled APT targets diplomatic entities in the Middle East and South Asia
GoldenJackal utilises a specialised toolset to gain control over targeted machines, employing removable drives to propagate and extract sensitive files.
In a recent report, Kaspersky brought to light a previously undisclosed Advanced Persistent Threat (APT) group known as GoldenJackal. This APT group has been observed engaging in targeted attacks against government and diplomatic entities in the Middle East and South Asia. Since 2020, Kaspersky has closely monitored GoldenJackal, documenting its persistent and increasingly sophisticated operations.
GoldenJackal utilises a specialised toolset to gain control over targeted machines, employing removable drives to propagate and extract sensitive files. Their modus operandi strongly suggests that the group’s main objective is espionage.
The methods employed by GoldenJackal are varied. The APT group utilises deceptive tactics, such as distributing fake Skype installers and malicious Word documents, as their initial attack vectors.
On the one hand, the fake Skype installers serve as droppers, housing two key components: the JackalControl Trojan and a genuine standalone installer for Skype for Business. On the other hand, the malicious Word documents employ a different approach. They leverage a technique known as remote template injection to download a malicious HTML page. This HTML page exploits the Follina vulnerability, allowing the attackers to gain unauthorised access to the targeted systems.
The JackalControl Trojan is the primary malware employed by GoldenJackal. This powerful tool enables the attackers to establish remote control over the compromised machines, utilising a predefined set of supported commands. The report states there are various variants of this software. Some variants are designed to maintain persistence within the system, while others operate without infecting the host machine.
In addition to the JackalControl Trojan, GoldenJackal is known to utilise a supplementary tool called JackalSteal. This tool monitors removable USB drives, remote shares, and logical drives within the targeted system, allowing the attackers to gather sensitive information.
Moreover, GoldenJackal has also been observed deploying additional specialised tools. These tools include JackalWorm, JackalPerInfo, and JackalScreenWatcher, further highlighting the versatility of the APT group’s operations. Additionally, it showcases the group’s ongoing investment in developing an arsenal of tools.
To avoid falling victim to the attacks of malicious actors, Kaspersky researchers recommend providing access to the latest threat intelligence, upskilling cybersecurity teams and deploying end point detection and response (EDR) solutions, to name a few.