GoldenJackal Threat Actor

A lesser-known threat actor known as GoldenJackal has been associated with a series of cyberattacks aimed at embassies and governmental bodies, with the intention of breaching air-gapped systems through two distinct custom toolsets.

The targets have included a South Asian embassy located in Belarus and a government organization within the European Union (E.U.). GoldenJackal's primary objective appears to be the theft of sensitive information, particularly from high-profile systems that may remain disconnected from the Internet.

GoldenJackal Has been Active for Years

GoldenJackal was first identified in May 2023, when researchers reported the threat cluster's attacks that target diplomatic and government entities in the Middle East and South Asia. The group's operations can be traced back to at least 2019. A notable aspect of these intrusions is the deployment of a worm known as JackalWorm, which can infect connected USB drives and deliver a trojan referred to as JackalControl.

While there is not enough evidence to definitively associate these activities with a particular nation-state threat, some tactical similarities exist with malicious tools utilized in campaigns attributed to Turla and MoustachedBouncer, the latter of which has also focused on foreign embassies in Belarus.

Multiple Malware Threats Deployed by GoldenJackal

Information security experts identified artifacts linked to GoldenJackal at a South Asian embassy in Belarus during August and September 2019, with further discoveries in July 2021. Notably, the threat actor successfully deployed a completely updated toolset against a European Union government entity between May 2022 and March 2024.

The sophistication demonstrated in developing and deploying two distinct toolsets specifically designed for compromising air-gapped systems over five years highlights the group's resourcefulness.

The attack on the South Asian embassy in Belarus reportedly utilized three different malware families alongside JackalControl, JackalSteal and JackalWorm:

• GoldenDealer, which facilitates the delivery of executables to air-gapped systems through compromised USB drives.
• GoldenHowl, a modular backdoor capable of file theft, creating scheduled tasks, uploading and downloading files to and from a remote server, and establishing an SSH tunnel.
• GoldenRobo, a tool designed for file collection and data exfiltration.

The New Set of Threatening Tools Used in Attacks

In contrast, the attacks targeting the unnamed government organization in Europe have employed a completely new suite of malware tools primarily written in Go. These tools are designed to collect files from USB drives, propagate malware via USB drives, exfiltrate data, and utilize certain machine servers as staging servers to distribute payloads to other hosts:

• GoldenUsbCopy and its enhanced successor, GoldenUsbGo, which monitor USB drives and copy files for exfiltration.
• GoldenAce, which is used to disseminate malware, including a lightweight version of JackalWorm, to other systems (not necessarily air-gapped) through USB drives.
• GoldenBlacklist and its Python variant, GoldenPyBlacklist, which processes email messages of interest for future exfiltration.
• GoldenMailer, which sends the harvested data to attackers via email.
• GoldenDrive, which uploads harvested information to Google Drive.

Currently, it remains unclear how GoldenJackal initially compromises target environments. However, researchers have previously suggested that trojanized Skype installers and corrupted Microsoft Word documents may serve as potential entry points.

How the GoldenJackal Attacks Proceed?

GoldenDealer, once installed on an Internet-connected computer through an unidentified method, activates when a USB drive is inserted. This action results in the copying of itself and an unknown worm component onto the removable device. It is believed that this unknown component executes when the infected USB drive is connected to an air-gapped system, after which GoldenDealer collects information about the machine and saves it to the USB drive.

When the USB device is reinserted into the Internet-connected computer, GoldenDealer transfers the information stored on the drive to an external server, which then sends back suitable payloads to be executed on the air-gapped system. The malware is also responsible for copying the downloaded executables to the USB drive. In the final stage, when the device is connected to the air-gapped machine again, GoldenDealer executes the copied executables.

Additionally, GoldenRobo runs on the Internet-connected PC, designed to retrieve files from the USB drive and send them to the attacker-controlled server. This malware, developed in Go, derives its name from a legitimate Windows utility called robocopy, which it uses to perform the file transfers.

So far, researchers have not identified a separate module responsible for transferring files from the air-gapped computer to the USB drive itself.

The ability to deploy two distinct toolsets for compromising air-gapped networks within just five years demonstrates that GoldenJackal is a sophisticated threat actor that understands the network segmentation strategies employed by its targets.