Cyberespionage group GoldenJackal, known to target government and diplomatic entities, has updated its toolset to include malware engineered to infect and steal data from air-gapped systems.
Researchers from security firm ESET discovered the updated toolset while investigating a series of attacks against an EU government organization between May 2022 and March 2024. The toolset, primarily written in Go, also deployed malicious payloads tied to GoldenJackal last year by security firm Kaspersky Lab.
“Most of these tools are written in Go and provide diverse capabilities, such as collecting files from USB drives, spreading payloads in the network via USB drives, exfiltrating files, and using some PCs in the network as servers to deliver diverse files to other systems,” the ESET researchers wrote in their report.
Several discoveries made by ESET about GoldenJackal are worth noting, including its intent to infiltrate networks that have been air-gapped, a security measure that involves physically isolating highly sensitive network segments or systems from the internet or untrusted networks to decrease the risk of compromise or lateral movement.
Who is GoldenJackal?
Active since at least 2019, GoldenJackal is an APT group known to target government and diplomatic entities in the Middle East and South Asia, according to a 2023 report from Kaspersky Lab, which has been tracking the group since mid-2020.
GoldenJackal’s previously known malware tools, written mainly in .NET, enabled the group to control victim machines, spread across systems using removable drives, exfiltrate files from infected systems, steal credentials, collect information about web browsing activities, and take screen captures. Kaspersky Lab, which documented the tools, dubbed them JackalControl, JackalWorm, JackalSteal, JackalPerInfo, and JackalScreenWatcher.
But as ESET discovered, this was not the only malware toolset the group has at its disposal. The new malware programs ESET found, written in Go and Python, work in conjunction with tools found by Kaspersky, such as JackalWorm.
Neither Kaspersky nor ESET have been able to definitely link GoldenJackal to any other known APT group, but both noted similarities to Turla, a cyberespionage group previously attributed to Russia’s Federal Security Service (FSB).
The unknown toolset
ESET researchers noted that, in its attacks against the EU organization, GoldenJackal used a modular approach. “Some hosts were abused to exfiltrate files, others were used as local servers to receive and distribute staged files or configuration files, and others were deemed interesting for file collection, for espionage purposes,” they wrote.
Two of these tools, dubbed GoldenUsbCopy and GoldenUsbGo, are engineered to collect data from USB drives.
GoldenUsbCopy monitors a system for the insertion of USB drives, determines which files are interesting based on criteria stored in an encrypted configuration file, then archives the files and copies the archive to an encrypted container it creates on disk. The data is later exfiltrated by other tools.
GoldenUsbGo, which may be a newer, simpler implementation of GoldenUsbCopy, uses hardcoded selection criteria instead of a configuration file, which includes certain words in file names or certain file extensions. Instead of continuously monitoring for USB events, this tool periodically checks a list of drive letters for new files it hasn’t processed yet.
Two other tools, GoldenBlacklist and GoldenPyBlacklist, too seem to be different implementations of the same functionality: sorting through stolen email messages and preparing them for exfiltration. These tools process an archive of email messages downloaded from a server, remove messages from certain senders that are listed on a blacklist, and then create an encrypted archive ready for exfiltration.
“The file does not contain any email on a blocklist of email addresses,” the ESET researchers reported. “This is done to remove email messages that come from senders that usually are not interesting. While we can’t include the full list here, it’s worth mentioning that many of the email addresses are related to newsletters and press releases. It’s important to note that the attackers must have been operating for some time to build a list like this.”
Two tools dubbed GoldenMailer and GoldenDrive are used for data exfiltration. The first is written in Python and is used to email generated archives to email accounts controlled by the attackers. The second tool is written in Go and is used to upload files to Google Drive. The researchers also found a web server written in Python deployed on some systems, probably with the intention of serving files over the network.
Jumping air gaps
Air gapping as a security technique is usually achieved by disabling all network interfaces from a highly sensitive network segment and moving data to and from these systems by writing it to physical media such as USB thumb drives.
One other tool written in Go that ESET found, dubbed GoldenAce, distributes malware to other systems via USB drives, potentially reaching air-gapped networks. The payload is the JackalWorm USB infection component previously documented by Kaspersky Lab.
GoldenAce monitors whether any drive letter is mapped to a volume and if it finds one it checks whether a trash directory exists in the root of that drive. If the directory doesn’t exist, it creates it as a hidden folder and copies a file called “update” to it.
The tool then marks the first folder in the drive as hidden, drops a copy of JackalWorm in the drive and renames it with the name of the folder that it previously hid, followed by .exe. The JackalWorm executable has an icon that replicates that of a folder with the goal of tricking the user to click on it thinking they’re opening a folder they know.
When executed from the drive, JackalWorm opens the previously hidden folder in Windows Explorer to avoid raising suspicion, as this is the actual action the user expects to see. At the same time, however, it executes the file called update in the hidden Trash folder.
The update file is likely a data collection tool that puts stolen files back in the Trash folder to be collected by GoldenAce when the USB drive is taken back to the original system.
While GoldenAce is not necessarily used just to target air gapped systems, the researchers identified a much older malware component tied to GoldenJackal that was clearly designed for this purpose. This component, dubbed GoldenDealer, was used in a single attack back in 2019 against a South Asian embassy in Belarus.
GoldenDealer appears to have been part of an even older and previously undocumented toolset than the one found by Kaspersky and was used together with a modular backdoor that the ESET researchers now call GoldenHowl and a file collector and exfiltrator dubbed GoldenRobo.
The purpose of GoldenDealer was to deliver executables received from a command-and-control (C2) server to other systems via USB drives. It monitors for connected USB devices, copying payloads to them and then executes them on the target systems. It also includes a routine to check whether the computer is connected to the internet and uses USB drives to deliver files back to a connected computer to exfiltrate them to the C2 server.
“Managing to deploy two separate toolsets for breaching air-gapped networks in only five years shows that GoldenJackal is a sophisticated threat actor aware of network segmentation used by its targets,” the researchers concluded.
The ESET reports include indicators of compromise such as file signatures, IP addresses, and domain names that can be used to build custom signatures for threat hunting inside networks.