Two never-before-seen tools, from same group, infect air-gapped devices
The evolution of the kit from 2019 and the one from three years later underscores a growing sophistication by GoldenJackal developers. The first generation provided a full suite of capabilities, including:
- GoldenDealer, a component that delivers malicious executables to air-gapped systems over USB drives
- GoldenHowl, a backdoor that contains various modules for a mix of malicious capabilities
- GoldenRobo, a file collector and exfiltrator
Within a few weeks of deploying the kit in 2019, ESET said, GoldenJackal started using other tools on the same compromised devices. The newer tools, which Kaspersky documented in its 2023 research, included:
- A backdoor tracked under the name JackalControl
- JackalSteal, a file collector and exfiltrator
- JackalWorm, used to propagate other JackalControl and other malicious components over USB drives
GoldenJackal, ESET said, continued using these tools into January of this year. The basic flow of the attack is, first, infecting an Internet-connected device through a means ESET and Kaspersky have been unable to determine. Next, the infected computer infects any external drives that get inserted. When the infected drive is plugged into an air-gapped system, it collects and stores data of interest. Last, when the drive is inserted into the Internet-connected device, the data is transferred to an attacker-controlled server.
Building a better trap
In the 2022 attack on the European Union governmental organization, GoldenJackal began using a new custom toolkit. Written in multiple programming languages, including Go and Python, the newer version took a much more specialized approach. It assigned different tasks to different types of infected devices and marshaled a much larger array of modules, which could be mixed and matched based on the attacker objects for different infections.