GoldenJackal
GoldenJackal is an advanced persistent threat active since 2019.[1]
Targets
[edit]According to Kaspersky targets include the governments of Afghanistan, Azerbaijan, Iran, Iraq, Pakistan and Turkey.[1][2]
They have also targeted the European Union in 2022.[3]
Methods
[edit]Some attacks have been seen to use the Follina vulnerability.[1] This exploit uses malicious Microsoft Word documents that execute PowerShell commands via the Microsoft Support Diagnostic Tool.[4]
Toolkit
[edit]In the attack on the European Union a new toolkit was noted by ESET.[3][2] This included code written in Go and Python.[3][2] This toolkit can steal documents from airgapped machines by some elements of the kit infecting machines via USB flash drive.[3][2] Infected machines that aren't connected to a network can hide stolen documents on a USB drive in a way that infected machines connected to a network can retrieve and send to attacker.[3][2]
Possible Russian connection
[edit]ESET noted that the command and control protocol used by the groups malware is typically used by Turla, which is connected the Federal Security Service of Russia, suggesting the group may be Russian speakers.[5]
References
[edit]- ^ a b c Toulas, Bill (2023-05-23). "GoldenJackal state hackers silently attacking govts since 2019". Bleeping Computer. Retrieved 2024-10-15.
- ^ a b c d e Toulas, Bill (2024-10-08). "European govt air-gapped systems breached using custom malware". Bleeping Computer. Retrieved 2024-10-16.
- ^ a b c d e Goodin, Dan (2024-10-12). "A Mysterious Hacking Group Has 2 New Tools to Steal Data From Air-Gapped Machines". Wired. Archived from the original on 12 Oct 2024. Retrieved 2024-10-15.
- ^ Ilascu, Ionut (2022-05-30). "New Microsoft Office zero-day used in attacks to execute PowerShell". Bleeping Computer.
- ^ Lyons, Jessica (2024-10-09). "Moscow-adjacent GoldenJackal gang strikes air-gapped systems with custom malware". The Register. Retrieved 2024-10-16.