Researchers with ESET uncovered a threat actor dubbed GoldenJackal that is using a malware infection specifically designed to target air-gapped machines
In general, Air-gapped machines are specifically designed to handle highly sensitive information or critical operational tasks. In this case, the machines in question were housed at a pair of government offices in Europe.
The origin of the threat actors is not known and moreover it’s unclear, the group resembles other Russian espionage operations in its methods and tools and focuses on the Middle East and South Asia, though threat actors commonly pivot to Western governments and targets as needed.
In the attacks against a South Asian embassy in Belarus made use of custom tools that we have only seen in that specific instance. The campaign used three main components: GoldenDealer to deliver executables to the air-gapped system via USB monitoring; GoldenHowl, a modular backdoor with various functionalities; and GoldenRobo, a file collector and exfiltrator.
In the recent campaign, the target was a South Asian government outpost based in Europe in which the attackers first set upon an internet-facing machine, installing a relatively common set of malware payloads designed to build a foothold on the network. Their implants usually written in C# JackalControl, JackalSteal, JackalWorm, JackalPerInfo, and JackalScreenWatcher are the names of the implants that’s been used in their campaigns.
Once after the malware infects the external-facing machine along with its usual malware activities such as stealing credentials and spying on user activity, the malware seeks to get itself into air-gapped computers. This is done by targeting any connected USB drives. As air-gapped computers have no network connection, any transfer of data must be conducted via thumb drives. This is how the malware finds its inroads.
It is probable that this unknown component finds the last modified directory on the USB drive, hides it, and renames itself with the name of this directory, which is done by JackalWorm and the component uses a folder icon, to entice the user to run it when the USB drive is inserted in an air-gapped system, which again, is done by JackalWorm.
From there, the malware checks for an internet connection by regularly dialling up CloudFlare’s 1.1.1.1 public DNS service. If the request fails, the malware assumes the system is offline and performs different tasks. From there the data is placed back on the USB drive with the intent of being handed off to another infected system that can communicate with the command-and-control server.
In the observed attacks, GoldenJackal started to use a highly modular approach, using various components to perform different tasks. Some hosts were abused to exfiltrate files, others were used as local servers to receive and distribute staged files or configuration files, and others were deemed interesting for file collection, for espionage purposes.
- GoldenUsbCopy
- GoldenUsbGO
- GoldenAce
- GoldenBlacklist
- Goldenpyblacklist
- Goldenmailer
- Goldendrive
The attacks should serve as a reminder for admins that even extreme measures such as air-gapping can be overcome and all systems in a facility should be regularly monitored and scanned.
For more details, refer to the link
Indicators of Compromise
- DA9562F5268FA61D19648DFF9C6A57FB8AB7B0D7
- 5F12FFD272AABC0D5D611D18812A196A6EA2FAA9
- 6DE7894F1971FDC1DF8C4E4C2EDCC4F4489353B6
- 7CB7C3E98CAB2226F48BA956D3BE79C52AB62140
- 8F722EB29221C6EAEA9A96971D7FB78DAB2AD923
- 24FBCEC23E8B4B40FEA188132B0E4A90C65E3FFB
- A87CEB21EF88350707F278063D7701BDE0F8B6B7
- 9CBE8F7079DA75D738302D7DB7E97A92C4DE5B71
- 9083431A738F031AC6E33F0E9133B3080F641D90
- C830EFD843A233C170285B4844C5960BA8381979
- F7192914E00DD0CE31DF0911C073F522967C6A97
- B2BAA5898505B32DF7FE0A7209FC0A8673726509
- mariaalpane@outlook[.]com
- katemarien087@outlook[.]com
- spanosmitsotakis@outlook[.]com
- 83.24.9[.]124
- “196.29.32[.]210 “
- assistance[.]uz
- thehistore[.]com
- “xgraphic[.]ro “
