GoldenJackal, an Advanced Persistent Threat (APT) group that has been targeting government and diplomatic entities in Europe, the Middle East, and South Asia since at least 2019, has gotten attention from security researchers due to its successful breaching of air-gapped systems, a feat typically reserved for nation-state actors.
Researchers have detailed operational tactics, techniques, and procedures (TTPs) used by GoldenJackal during the group’s breach of these systems.
GoldenJackal Tools
One of the most striking aspects of GoldenJackal’s operations is their prowess in compromising air-gapped networks – systems isolated from the internet to minimize the risk of cyberattacks. For cybercriminals, breaching air-gapped networks can be immensely challenging, with the task typically reserved for only the most sophisticated of APT groups.
Researchers from ESET say that GoldenJackal appears to have developed and successfully deployed two separate toolsets designed to break such systems. The first toolset, used in an attack against a South Asian embassy in Belarus, consisted of three main components: GoldenDealer, GoldenHowl, and GoldenRobo.
- GoldenDealer: GoldenDealer is a malicious component that can deliver executables to air-gapped systems via USB drives. It monitors the insertion of removable drives on both air-gapped and connected PCs, as well as internet connectivity. GoldenDealer uses configuration files located in the directory from which the malware is running. These files store status fields, executable files sent by the C&C server, information about compromised PCs, and a mutex to prevent multiple instances from running.
- GoldenHowl: GoldenHowl is a modular backdoor from GoldenJackal’s 2019 toolset with various functionalities distributed as a self-extracting archive that contains legitimate Python binaries and libraries alongside malicious scripts.
- GoldenRobo: GoldenRobo is the final component of the toolset and is written in Go. It iterates across all drive letters from A to Z, trying to access each drive.
In a later series of attacks against a European Union governmental organization, GoldenJackal deployed a second highly modular toolset that allows attackers to collect and process information, distribute files and configurations, and fully exfiltrate files from affected systems.
Breach of Air-Gapped Systems
The researchers note that for the level of sophistication usually required to compromise air-gapped systems, GoldenJackal’s capability to build and deploy not just one but two specific compromise toolsets for these systems within five years is unprecedented.
This may indicate the resourcefulness of the group along with the design of intricate attack processes involved in the use of GoldenDealer to monitor compromised internet-connected systems, downloading executables from a command-and-control (C&C) server, and executing them on the air-gapped machines.
While these toolsets are quite sophisticated, the researchers stress that they are not without flaws and that defenders can prepare themselves better against future attacks by observing their tactics. The researchers have shared a public list of IOCs on GitHub for defenders to monitor.
