Researchers have spotted an APT group named GoldenJackal, which has been observed targeting government and diplomatic entities in the Middle East and South Asia.
Active since 2019, employing tools designed for controlling victim machines and carrying out espionage activities and employs fake Skype installers and malicious Word documents as initial attack vectors.
The fake Skype installer acts as a dropper, containing two resources: the JackalControl Trojan and a legitimate Skype for Business standalone installer.
The malicious Word documents instead utilize a remote template injection technique to download a malicious HTML page, which exploits the Follina vulnerability.
The JackalControl Trojan is the primary malware employed by GoldenJackal. It allows the attackers to gain remote control over targeted machines using a set of predefined and supported commands and focuses on maintaining persistence while others run without infecting the system.
The also reportedly utilizes a tool called JackalSteal, which monitors removable USB drives, remote shares, and logical drives within the targeted system.
GoldenJackal was seen deploying additional tools such as JackalWorm, JackalPerInfo, and JackalScreenWatcher.
The toolkit seems to be under development – the number of variants shows that they are still investing in it. The attacks were limited to a small group of high-profile entities, and a tool like JackalWorm is probably difficult to bind and can easily get out of control.
To mitigate the risk of falling victim to targeted attacks, it is recommended to implement several security measures such as incorporating latest threat intelligence, upskilling cybersecurity teams with specialized training, and deploying EDR solutions and Log management.
This research was documented by researchers from Kaspersky