- APT group GoldenJackal has been using its own set of tools to attack isolated (air-gapped) systems at the embassy of a South Asian country in Belarus since at least August 2019.
- In another attack, GoldenJackal deployed a highly modular toolkit in Europe on various occasions between May 2022 and March 2024 against a government organization in a European Union country.
- These toolkits provide GoldenJackal with a broad set of options to compromise and persist in target networks. Compromised systems have various tasks in the local network, from collecting interesting – probably confidential – information, through its processing, distribution of files, configurations and commands to other systems, up to file exfiltration.
- GoldenJackal’s ultimate goal is very likely to steal confidential information, especially from critical computers that are intentionally isolated from the Internet.
ESET researchers uncovered a series of attacks that took place in Europe between May 2022 and March 2024, in which the attackers used a toolset capable of targeting systems isolated from the Internet in a government organization of a European Union country. ESET attributes the APT campaign to the GoldenJackal group, which targets government and diplomatic entities. By analyzing the set of tools deployed by this group, ESET also identified an attack that GoldenJackal carried out earlier, in 2019, on the embassy of a South Asian country in Belarus, and which was targeted at the embassy’s isolated systems using its own tools. GoldenJackal’s ultimate goal is very likely to steal confidential and highly sensitive information, especially from critical devices that may not be connected to the Internet. ESET presented its findings at the Virus Bulletin 2024 conference.
To minimize the risk of compromise, highly sensitive networks are often isolated from other networks. Organizations typically separate their most valuable systems, such as voting systems and industrial control systems that operate power grids. These networks are often the object of attackers’ interest. Compromising an isolated (air-gapped) network is much more resource-intensive than disrupting a system connected to the Internet, which means that methods designed to attack isolated networks have so far been developed exclusively by Advanced Persistent Threat (APT) groups. The goal of such attacks is always espionage.
“In May 2022, we discovered a set of tools that we could not assign to any APT group. However, when the attackers used a tool similar to one that was already publicly documented, we were able to dig deeper and find a connection between the publicly documented GoldenJackal toolkit and this new toolkit. Based on this, we were able to identify an earlier attack that deployed a publicly documented toolset, as well as an older toolset that also has capabilities to target isolated systems.” says ESET researcher Matías Porolli, who analyzed the GoldenJackal toolkit.
GoldenJackal targets government entities in Europe, the Middle East and South Asia. ESET caught GoldenJackal tools at the South Asian country’s embassy in Belarus in August and September 2019 and again in July 2021. More recently, another government organization in Europe was attacked repeatedly from May 2022 to March 2024, according to ESET telemetry.
Given the level of sophistication required, it is quite unusual that the GoldenJackal group managed to deploy not one, but two separate toolsets designed to compromise isolated systems in five years. This testifies to the resourcefulness of this group. The attacks on the embassy of the South Asian country in Belarus used their own tools, which we have only seen so far in this particular case. The campaign used three main components: GoldenDealer to deliver executable files to an isolated system via USB monitoring; GoldenHowl, a modular backdoor with various functions; and GoldenRobo, a file collector and exfiltrator.
“When a victim inserts a compromised USB drive into an isolated system and clicks on a folder that has a folder icon but is actually a malicious executable file, GoldenDealer is installed and launched, which begins collecting information about the isolated system and saves it to the USB drive. When the disk is re-inserted into the computer connected to the Internet, GoldenDealer takes the information about the computer connected to the Internet from the USB disk and sends it to the control C&C server. The server responds with one or more executable files to be run on a PC connected to the network. Finally, when the disk is re-inserted into the isolated PC, GoldenDealer takes the executable files from the disk and runs them. No user interaction is required as GoldenDealer is already running,” explains Porolli.
In the latest series of attacks against a government organization in the European Union, GoldenJackal has moved from the original toolkit to a new, highly modular one. This modular approach applied not only to the malicious tools, but also to the tasks of the attacked components within the system: among other things, they were used to collect and process interesting, possibly confidential information, to distribute files, configurations and commands to other systems, and to exfiltrate files.
More technical information in English can be found in our special blog on the WeLiveSecurity site. The latest revelations from our researchers can be found on the X Network (formerly Twitter) ESET Research.
About ESET
ESET® provides top-notch digital security that prevents attacks before they happen. Thanks to the combination of the power of artificial intelligence and human experience, ESET stays ahead of known and emerging cyber threats – it protects companies, critical infrastructure and individuals. Whether protecting endpoints, cloud or mobile devices, our AI and cloud-based solutions and services remain highly efficient and easy to use. ESET technologies include robust detection and response, extremely secure encryption and multi-factor authentication. With continuous real-time protection and strong local support, we keep users safe and businesses up and running. The ever-evolving digital environment requires a progressive approach to security. ESET’s priority is world-class research and powerful threat analysis, supported by research and development centers and a strong global partner network. You can find more information on the site www.eset.skor you can follow us on social networks LinkedIn, Facebook a X.
Source: www.nextech.sk
