This Hazardous APT Group Targets South Asia And Middle East Diplomatics

JAKARTA - The new Persistent Advanced Threat Group (APT), Golden Jackal, has been discovered by Kaspersky, which often targets government and diplomatic entities in South Asia.

Golden Jackal is known to have been active since 2019, but has no public profile. The group is not only targeting South Asia, but also the Middle East.

Kaspersky as a security company, began monitoring the group in mid-2020 by observing consistent activity, and said the group was a bit hidden.

The Golden Jackal Group utilizes a set of special tools aimed at controlling the machines of their victims, spreading throughout the system using removable drives, and smuggling specific files. Indicating the actors are espionage.

"Golden Jackal is an interesting APT actor who tried not to stand out too much even though he first started operations in June 2019, he managed to stay under the radar," said Kaspersky senior security researcher at the Kaspersky Global Research and Analysis Team (GREAT), Giampaolo Dedola, in a statement quoted Thursday, June 1.

"Having a set of advanced malware tools, he was quite productive in his attacks on governments and diplomatic entities in the Middle East and South Asia," he added.

As Kaspersky's investigation shows, Golden Jackal uses fake Skype installers and malicious Word documents as initial vectors of their attacks.

The fake Skype installer is a file that can be executed with a size of about 400 MB. It is a dropper containing two resources, namely the JackalControl Trojan and a legitimate Skype for business self-installer.

The first use of this tool is traced back to 2020. Another infection vector is a dangerous document that uses remote template injection techniques to download malicious HTML pages, which exploits Follina vulnerabilities.

The document was named "Galery of Officers Who Have Received National and Foreign Awards.docx" and appeared as an official circular requesting information about officers decorated by the Pakistani government.

The first description of the Follina vulnerability was published on May 29, 2022, and this document appears to have been amended on June 1, two days after publication, which was first detected on June 2.

Furthermore, the document is configured to load external objects from legitimate websites and has been compromised. Once the external object is downloaded, the executable file is launched, containing the JackalControl Trojan malware.

JackalControl is the main trojan, where attackers can remotely control the target engine via a series of predetermined commands.

Over the years the attackers have distributed these various malware variants, for example including a code to strengthen the defense, others configured to run without infecting the system. The machine is usually infected by other components, such as batch scripts.

The second important tool commonly used by the Golden Jackal group is JackalSteal. This tool can be used to monitor removable USB drives, remote shares, and all logical drives in the targeted system.

Malware can serve as a standard process or as a service. It can't maintain persistence, so it has to be installed by other components.

Golden Jackal also uses a number of additional tools, such as JackalWorm, JackalPerInfo, and JackalScreenWatcher. Kaspersky researchers said they were deployed in certain cases.

The device is aimed at controlling the victim's engine, stealing their credentials, taking screenshots of the desktop, and with espionage as a final destination.

"Because some malware implants are still in the development stage, it is important for cybersecurity teams to be aware of possible attacks that may be carried out by related actors," said Dedola.

"We hope that the analysis we are doing will help prevent the dangerous activities of Golden Jackal," he added.