A new cross-platform malware called JaskaGO has been discovered, posing a threat to both Windows and Apple macOS systems. Unearthed by AT&T Alien Labs, this Go-based information stealer malware comes with a range of commands from its command-and-control (C&C) server. The malware was initially detected with artifacts designed for macOS in July 2023, disguising itself as installers for legitimate software like CapCut, AnyConnect, and security tools.
JaskaGO exhibits sophisticated behaviors upon installation, including checks to determine if it is running within a virtual machine environment. If detected in a VM, it executes harmless tasks like pinging Google or printing a random number, likely to evade detection. In other scenarios, JaskaGO proceeds to harvest information from the victim system and establishes a connection to its C&C server for further instructions. These instructions include executing shell commands, enumerating running processes, and downloading additional payloads.
On macOS, the malware employs a multi-step process to establish persistence within the system. It runs with root permissions, disables Gatekeeper protections, and creates a custom launch daemon to ensure automatic launch during system startup. The malware is also capable of modifying the clipboard to facilitate cryptocurrency theft by substituting wallet addresses and extracting files and data from web browsers.
JaskaGO is part of a growing trend in malware development that leverages the Go programming language for its simplicity, efficiency, and cross-platform capabilities, making it an attractive choice for creating versatile and sophisticated threats. The distribution method of JaskaGO and the scale of the campaign remain unclear as of now.
