Furtive and subtle, the advanced persistent threat has been lurking for five year before being ferreted out

Active since 2019 but only gaining attention in mid-2020, an advanced persistent threat group targeting government and diplomatic entities in the Middle East and South Asia has been brought to light.

The capable and moderately stealthy actor, GoldenJackal, deploys a specific toolset intended to control the machines of their victims, to spread across systems using removable drives, and to exfiltrate files for espionage.

According to Kaspersky investigators, the following activities have been traced to the threat group:

    • Use of fake Skype installers and malicious Word documents as initial vectors for their attacks. The fake installers contain two resources: the JackalControl Trojan and a legitimate Skype for business standalone installer. Another infection vector is a malicious document that uses the remote template injection technique to download a malicious HTML page that exploits CVE-2022-30190 (Follina). The first description of the Follina vulnerability was published on May 29, 2022 and the malicious document appears to have been modified on 1 June, two days after publication, and was first detected on 2 June.
    • JackalControl is the main trojan, allowing the attackers to control the target machine remotely through a set of predefined and supported commands. Variants of the trojan include code to maintain persistence; others to run without infecting the system. The compromised machine usually gets infected by other components, such as a batch script.
    • Another important tool usually deployed by GoldenJackal is JackalSteal, a tool used to monitor removable USB drives, remote shares, and all logical drives in the targeted system. The malware can work as a standard process or as a service. It cannot maintain persistence, so it must be installed by another component.
    • Finally, GoldenJackal uses a number of additional tools, such as JackalWorm, JackalPerInfo and JackalScreenWatcher. They are deployed in specific cases that were witnessed by Kaspersky researchers aimed at controlling compromised machines, steal credentials, take screen captures of the desktop and so on.

According to the firm’s senior security researcher, Giampaolo Dedola: “Possessing an advanced malware toolset, it has been quite prolific in its attacks on government and diplomatic entities in the Middle East and Southern Asia. Since some of the malware implants are still in the developing stages, it is crucial for cybersecurity teams to watch out for any possible attacks that might be performed by the actor.”