GoldenJackal Target Embassies and Air-Gapped Systems Using Malware Toolsets

In Dehradun, a cyberattack led to the shutdown of around 186 government websites for nearly 60 hours, starting from the afternoon of October 2. An unidentified hacker reportedly breached the Information Technology Development Agency (ITDA) server, locking data files and demanding a ransom, according to the state cyber police. The case has been registered in Dehradun’s state cyber police station.

During a press briefing, Inspector General (Law & Order) Nilesh Anand Bharne, along with DIG Senthil Avoodai Krishna Raj S and SSP (STF) Navneet Singh, stated that a special investigation team (SIT) has been established to handle the case. This follows a report from *The Times of India* indicating that an “outsider” had breached the outer firewall of the state’s data center.

Bharne noted that the attack took place between 2:45 pm and 2:55 pm last Wednesday while a technical team was resolving issues with the Crime and Criminal Tracking Network and Systems (CCTNS). During this process, the system unexpectedly stopped working, and several other government websites also went offline. Investigations revealed that the hacker gained unauthorized access to the ITDA server, locking data files in a suspected ransomware attack. The attacker left a message instructing officials to contact two email addresses, ‘hermesaa@tutamail.com’ and ‘linger11@cock.li,’ to regain access to the data, demanding a ransom in return.

Despite the attack, Bharne assured that no data was lost, as IT experts promptly restored the affected websites using backup data. “The entire system was temporarily shut down for a comprehensive deep scan of all websites and systems while the state cyber police gathered digital evidence for further analysis,” Bharne added. The case has been filed under section 308(4) (extortion) of the BNS and sections 65, 66, and 66(c) of the IT Act.

Experts from various central agencies, including the Indian Cyber Crime Coordination Centre (I4C), the National Investigation Agency (NIA), CERT-In, and the National Critical Information Infrastructure Protection Centre (NCIIPC), are aiding in the technical investigation to evaluate the virus infection. Bharne mentioned that “almost all key government websites have been restored.”

An unnamed police officer involved in the case confirmed to *The Times of India* that the ransom demand was made in cryptocurrency. “No ransom was paid, following the clear mandate of CERT-In, which prohibits such payments. Additionally, no data was lost as the ITDA maintains two separate backup data centers across the country,” the officer said.

The cyberattack on the South Asian embassy in Belarus reportedly involved multiple malware families, including *JackalControl*, *JackalSteal*, and *JackalWorm*, as well as three other specific strains:

– **GoldenDealer**: Used to deliver executables to air-gapped systems through compromised USB drives.

– **GoldenHowl**: A modular backdoor with functionalities to steal files, create scheduled tasks, upload and download files to and from a remote server, and establish an SSH tunnel.

– **GoldenRobo**: A tool designed for file collection and data exfiltration.

The cyberattacks on an unnamed government organization in Europe utilized a distinct set of malware tools, primarily written in Go, to carry out a range of malicious activities. These tools were engineered to collect files from USB drives, spread malware, exfiltrate data, and use specific machine servers as intermediaries for distributing payloads to other hosts. The toolset includes the following components:

– **GoldenUsbCopy** and its enhanced version **GoldenUsbGo**: These tools monitor USB drives and copy files for later exfiltration.

– **GoldenAce**: Used to propagate the malware, including a lightweight variant of *JackalWorm*, to other systems (even those not air-gapped) via USB drives.

– **GoldenBlacklist** and its Python variant **GoldenPyBlacklist**: These components are designed to process email messages of interest and prepare them for exfiltration.

– **GoldenMailer**: Responsible for sending stolen information to attackers via email.

– **GoldenDrive**: Uploads the stolen data to Google Drive.

The initial method used by *GoldenJackal* to compromise target environments remains unclear. However, Kaspersky previously suggested that trojanized Skype installers or malicious Microsoft Word documents might be possible entry points.

– **GoldenDealer**: This malware, which is already present on a computer connected to the internet, activates when a USB drive is inserted. It copies itself and an unknown worm component to the removable device. When the infected USB drive is later connected to an air-gapped system, *GoldenDealer* saves specific information about that machine onto the USB drive.

  – When the USB device is reinserted into the internet-connected machine, *GoldenDealer* transmits the collected data to an external server. The server then responds with appropriate payloads to be executed on the air-gapped system.

  – In its final stage, when the USB drive is connected to the air-gapped machine once more, *GoldenDealer* executes the downloaded payloads stored on the device.

– **GoldenRobo**: This malware runs on the internet-connected PC and is tasked with extracting files from the USB drive and transmitting them to an attacker-controlled server. Written in Go, *GoldenRobo* gets its name from its use of the legitimate Windows utility called *robocopy* to copy files.

ESET has yet to identify a specific module that directly copies files from the air-gapped computer onto the USB drive itself. Nonetheless, the complexity of deploying two distinct toolsets for infiltrating air-gapped networks over the past five years highlights the sophistication of *GoldenJackal* as a threat actor. The group’s awareness of network segmentation tactics used by its targets underscores their advanced capabilities.

“For an adversary to successfully deploy two separate toolsets aimed at breaching air-gapped networks within just five years indicates that *GoldenJackal* is a highly sophisticated threat actor with a deep understanding of the network defenses used by its targets,” said Porolli.

About the Author

You may also like these

No Related Post