Kaspersky Lab has detected a spy jackal that penetrates the territory of state institutions in the Middle East
The previously unknown APT group GoldenJackal has developed perfect tools for various attack purposes.
The unknown APT group GoldenJackal has been spying on government and diplomatic institutions in Asia and the Middle East since 2019. Attackers operate in secret, carefully choosing their victims and keeping the number of attacks to a minimum to reduce the likelihood of exposure. About it reported Kaspersky Lab specialists who have been monitoring GoldenJackal since 2020.
According to experts, hackers are notably active in Afghanistan, Azerbaijan, Iran, Iraq, Pakistan and Turkey. The LC reported that although the cybercriminals began their activities many years ago, this group is generally unknown and not publicly documented.
The infection vectors of GoldenJackal are unknown. However, the researchers observed:
- Phishing campaigns with malicious documents using the Remote Template Injection technique to exploit the Microsoft Office Follina vulnerability;
- Distribution of trojanized (trojanized version of software) Skype for Business installers that installed a Trojan along with a legitimate program;
According to Kaspersky Lab, GoldenJackal uses a set of configurable .NET malware tools that perform a variety of functions, including credential and identity theft, malware downloads, lateral movement, file exfiltration, and more.
GoldenJackal uses several of its own tools in its attacks:
- JackalControl – Gives hackers remote control over an infected computer. receiving commands from C2 serversthe tool can execute arbitrary scripts, exfiltrate files, or deliver additional payloads;
- JackalSteal- an implant to steal data from all logical drives, including deleted shares and recently connected USB drives;
- Jackalworm – infects USB drives and spreads to other potentially valuable computers. After hitting another computer, the worm erases its copy from the USB drive;
- JacklPerInfo- system information thief with the ability to extract browsing history and credentials from browsers, as well as extract files from the “Desktop”, “Documents”, “Downloads” and “AppData\Roaming\Microsoft\Windows\Recent” directories;
- JackalScreenWatcher- used to take screenshots on an infected device and send the screenshots to the attacker’s server.
Kaspersky Lab’s experts concluded that GoldenJackal carefully uses an extensive set of customizable tools against a limited number of victims in order to carry out long-term spying campaigns.