Government and diplomatic entities in the Middle East and South Asia are becoming targets of new, persistent threat actors named Golden Wolf.
Russian cybersecurity company Kaspersky, which has supervise on group activity since mid-2020, characterizes the enemy as capable and stealthy.
The campaign’s targeting coverage was focused on Afghanistan, Azerbaijan, Iran, Iraq, Pakistan and Turkey, infecting victims with specialized malware that steals data, spreads across systems via removable drives, and performs surveillance.
GoldenJackal is thought to have been active for at least four years, although little is known about the group. Kaspersky said it could not yet determine its origin or affiliation with known threat actors, but the perpetrator’s modus operandi suggests an espionage motivation.
What’s more, the threat actor’s attempt to maintain a low profile and fade into the shadows bears all the hallmarks of a state-sponsored group.
That said, some tactical overlap has been observed between the threat actor and Turla, the Russian one elite nation-state hacking crew. In one position, the victim’s machine was infected by Turla and GoldenJackal two months apart.
The exact initial path used to penetrate the targeted computers is unknown at this stage, but the evidence gathered so far points to the use of a trojanized Skype installer and a malicious Microsoft Word document.
While the installer served as a conduit for delivering a .NET-based trojan called JackalControl, Word files have been observed weaponizing the Follina vulnerability (CVE-2022-30190) to remove the same malware.
JackalControl, as its name suggests, allows an attacker to remotely take over a machine, execute arbitrary commands, and upload and download to and from the system.
|Geography of the victims
Some of the other malware families used by GoldenJackal are as follows –
- JackalSteal – An implant used to find files of interest, including those located on removable USB drives, and send them to remote servers.
- JackalWorm – A worm engineered to infect systems using a removable USB drive and installing the JackalControl trojan.
- JackalPerInfo – Malware that includes a feature to harvest system metadata, folder contents, installed applications, and running processes, and credentials stored in web browser databases.
- JackalScreenWatcher – Utility to take screenshots based on predefined time intervals and send them to an actor-controlled server.
Another important aspect of the threat actor is its reliance on the hacked WordPress site as a relay to forward web requests to the real command-and-control (C2) server via malicious PHP files that are injected into the website.
“The group may be trying to reduce its visibility by limiting the number of victims,” said Kaspersky researcher Giampaolo Dedola. “Their toolkit appears to be under development – the number of variants shows they are still investing in it.”