The APT group GoldenJackal was discovered by Kaspersky, but has been active since 2019. As the investigation shows, the group primarily targets governmental and diplomatic institutions. GoldenJackal exploits the Follina vulnerability as an infection vector.
Kaspersky has been monitoring the activities of the skillful and moderately inconspicuous threat actor since mid-2020. The APT group is characterized by a special toolset that allows it to control victims' computers, spread across systems using removable drives and extract specific files from there. The functionalities indicate that the main motivation of the actor is espionage.
Infected Skype installations and Word Docs
According to investigations by Kaspersky, the APT actor used fake Skype installers and malicious Word documents as initial attack vectors. The fake Skype installer was an executable file around 400MB in size. This consisted of a dropper with two resources: the JackalControl Trojan and a legitimate Skype for Business installer. The first use of this tool can be traced back to 2020.
Another infection vector used was a malicious document that uses remote template injection technology to download a malicious HTML page; this in turn exploits the Follina vulnerability in a targeted manner. This document, called “Gallery of Officers Who Have Received National and Foreign Awards.docx”, at first glance resembles a legitimate circular requesting information on officers who have received awards from the Government of Pakistan. On May 29, 2022, the first description of the Follina vulnerability was published. Two days later, on June 1st, the document was modified and first discovered on June 2nd, 2022.
Follina vulnerability as an assistant
The document was configured to load an external object from a legitimate and compromised website. Once downloaded, the executable containing the JackalControl Trojan will be launched. This allows attackers to remotely control target computers using a set of predefined and supported commands. Over the years, cyber criminals have distributed different variants of this malware: some contain code that infects the malware locally, others are configured to run without infecting the system. The computer is usually infected by other components, for example by a batch script.
Do you have a moment?
Take a few minutes for our 2023 user survey and help make B2B-CYBER-SECURITY.de better!You only have to answer 10 questions and you have an immediate chance to win prizes from Kaspersky, ESET and Bitdefender.
Here you go directly to the survey
More spy tools
The second most important tool of the APT group is JackalSteal. With it, USB removable drives, remote shares and all drives in the target system can be monitored. The malware can run as a standard process or as its own service. However, it cannot be permanently active, so it must be installed by another component.
In addition, GoldenJackal uses a number of additional tools, such as JackalWorm, JackalPerInfo and JackalScreenWatcher. This toolset has been used in certain cases observed by Kaspersky researchers and aims to control victims' machines, steal their credentials or even take screenshots of the desktop.
More at Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/