Kaspersky researchers have unveiled the activities of an undocumented Advanced Persistent Threat (APT) group named GoldenJackal, which has been conducting espionage on government and diplomatic entities in the Middle East and South Asia since 2019.
GoldenJackal employs a specific toolset of .NET malware, including JackalControl, JackalWorm, JackalSteal, JackalPerInfo, and JackalScreenWatcher, enabling them to gain control over victim machines, spread through removable drives, exfiltrate files, steal credentials, monitor web activities, and capture desktop screenshots. The group has demonstrated a constant level of activity, indicating their ability to evade detection.
The GoldenJackal APT has utilized deceptive techniques such as fake Skype installers and weaponized Word documents as initial attack vectors. Kaspersky’s report highlights a .NET executable file named skype32.exe, masquerading as a legitimate Skype installer, which served as a dropper for the JackalControl Trojan and a genuine Skype for Business standalone installer.
Another infection vector involved a malicious document using remote template injection to download a harmful HTML page exploiting the Follina vulnerability.
The researchers observed that the GoldenJackal APT continuously updated their malware, with JackalControl being a remote control Trojan supporting operations like executing arbitrary programs, downloading and uploading files, and employing HTTPS communications with command-and-control (C2) servers.
Additionally, the group employed JackalSteal to identify and exfiltrate files of interest, JackalWorm to spread through removable USB drives, and JackalPerInfo to collect system information and potential credentials. JackalScreenWatcher was utilized to capture desktop screenshots and send them to a remote C2 server.
While the GoldenJackal APT has similarities to the Russia-linked Turla cyber-espionage group, no direct links have been established. The group has targeted a limited number of government and diplomatic entities in Afghanistan, Azerbaijan, Iran, Iraq, Pakistan, and Turkey.
Kaspersky’s analysis suggests that the group deliberately limits its victim count to reduce visibility, predominantly focusing on unprotected systems and aiming to evade specific security solutions.
The researchers concluded that GoldenJackal’s toolkit is still under development, with the latest malware variant, JackalWorm, appearing in the latter half of 2022 and likely still in the testing phase.