A recently discovered advanced persistent threat (APT) group named GoldenJackal has been observed targeting government and diplomatic entities in the Middle East and South Asia.
According to a new advisory published by Kaspersky earlier today, GoldenJackal has been active since 2019, employing tools designed for controlling victim machines and carrying out espionage activities.
“Based on their toolset and the attacker’s behavior, we believe the actor’s primary motivation is espionage,” explained senior security researcher Giampaolo Dedola.
The company said it has been monitoring GoldenJackal since mid-2020. Its investigation revealed that the group employs fake Skype installers and malicious Word documents as initial attack vectors.
The fake Skype installer acts as a dropper, containing two resources: the JackalControl Trojan and a legitimate Skype for Business standalone installer.
The malicious Word documents instead utilize a remote template injection technique to download a malicious HTML page, which exploits the Follina vulnerability.
Read more on this flaw here: State-Backed Hacker Believed to Be Behind Follina Attacks on EU and US
The JackalControl Trojan is the primary malware employed by GoldenJackal. It allows the attackers to gain remote control over targeted machines using a set of predefined and supported commands.
Kaspersky has observed different variants of this malware; some focused on maintaining persistence while others run without infecting the system.
The group also reportedly utilizes a tool called JackalSteal, which monitors removable USB drives, remote shares and logical drives within the targeted system.
Furthermore, in specific cases, GoldenJackal was seen deploying additional tools such as JackalWorm, JackalPerInfo and JackalScreenWatcher.
“[GoldenJackal]’s toolkit seems to be under development – the number of variants shows that they are still investing in it. The latest malware, JackalWorm, appeared in the second half of 2022 and appears to still be in the testing phase,” Dedola wrote in the advisory.
“This tool was unexpected because in previous years, the attacks were limited to a small group of high-profile entities, and a tool like JackalWorm is probably difficult to bind and can easily get out of control.”
To mitigate the risk of falling victim to targeted attacks, Kaspersky researchers recommend implementing several security measures.
These include providing access to the latest threat intelligence, upskilling cybersecurity teams with specialized training and deploying endpoint detection and response (EDR) solutions, among others.