GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. Despite the fact that they began their activities years ago, this group is generally unknown and, as far as we know, has not been publicly described.
We started monitoring the group in mid-2020 and have observed a constant level of activity that indicates a capable and stealthy actor. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher intended to:
control victim machines
spread across systems using removable drives
exfiltrate certain files from the infected system
steal credentials
collect information about the local system
collect information about users’ web activities
take screen captures of the desktop
Based on their toolset and the attacker’s behaviour, we believe the actor’s primary motivation is espionage.
Infection vectors
We have limited visibility on their infection vectors, but during our investigations, we observed the usage of fake Skype installers and malicious Word documents.
The fake Skype installer was a .NET executable file named skype32.exe that was approximately 400 MB in size. It was a dropper containing two resources: the JackalControl Trojan and a legitimate Skype for business standalone installer. This tool was used in 2020.
The other known infection vector was a malicious document that uses the remote template injection technique to download a malicious HTML page, which exploits the Follina vulnerability.
Malicious document – first page
The document was named “Gallery of Officers Who Have Recei ..
Support the originator by clicking the read the rest link below.
