GoldenJackal is a threat actor group known for its sophisticated cyber-espionage activities. The group utilizes spear-phishing, vulnerability exploitation, and a .NET malware toolset to establish persistence in victims' machines, spread across systems, and exfiltrate sensitive information such as account credentials, system information, browser history, and user files. GoldenJackal's toolset provides capabilities to copy files from air-gapped systems and move them to connected systems via USB drives for exfiltration. They use various encryption algorithms such as XOR, Fernet, and AES to encrypt configuration files and files to be exfiltrated. Additionally, they have been observed to execute PowerShell scripts to download the JackalControl malware from compromised WordPress websites.
The GoldenJackal APT group has been linked to a series of attacks targeting air-gapped systems at governmental organizations. Kaspersky has noted similarities between the GoldenJackal malware and Kazuar, a Trojan used by the Russian state cyberespionage group Turla, also known as Uroburos, Snake, and Venomous Bear. However, Kaspersky stops short of definitively connecting GoldenJackal with any known threat actor. The group uses legitimate tools like Plink and PsExec for post-compromise operations and Google Drive to store exfiltrated files and legitimate tools. GoldenJackal develops its own custom malware and has used compromised WordPress sites for Command & Control (C&C) infrastructure, utilized by the JackalControl and JackalSteal malware.
In terms of infrastructure, GoldenJackal has likely acquired servers for their operations. They probably procured a server to use as a primary C&C server for the GoldenDealer malware and a Virtual Private Server (VPS) to serve as a secondary C&C server for the same malware. The secondary C&C server was reportedly in use by GoldenJackal as early as August 9, 2019. This group's activities pose significant threats to government organizations and other high-value targets, necessitating robust cybersecurity measures to counter their sophisticated tactics.
Description last updated: 2024-10-08T11:32:25.270Z