Cyberspies Target Air-Gapped Systems at European Government Organization

2 months ago 15
News Banner

Looking for an Interim or Fractional CTO to support your business?

Read more

The cyberespionage advanced persistent threat (APT) actor tracked as GoldenJackal has been observed targeting government organizations in Europe with tools designed to compromise air-gapped systems, ESET reports.

Showing small overlaps with Russia-linked cyberespionage group Turla, GoldenJackal has been active for at least five years, focusing on government and diplomatic entities in Europe, the Middle East, and South Asia.

Previous reporting on GoldenJackal revealed limited attacks against entities in Afghanistan, Azerbaijan, Iran, Iraq, Pakistan, and Turkey, but ESET has uncovered two other victims, namely a South Asian embassy in Belarus and a European Union government organization.

Although the attacks occurred years apart, the APT used malware targeting air-gapped systems to collect and exfiltrate sensitive information in both cases.

In August 2019, ESET says, the threat actor targeted a South Asian embassy in Belarus with multiple custom tools, including GoldenDealer, which can deploy executables on air-gapped systems via USB drives, the GoldenHowl backdoor, and GoldenRobo, which collects and exfiltrates files.

USB drives were likely infected when inserted into a compromised internet-connected system on which a worm component was installed. The same as the group’s JackalWorm, this worm component monitored connected USB drives to copy itself and GoldenDealer to them.

GoldenDealer was responsible for collecting information about the air-gapped system, sending it to a command-and-control (C&C) server when the drive was inserted into an internet-connected machine, and installing server-supplied executables when again inserted into the air-gapped computer.

“We have observed GoldenDealer running GoldenHowl on an internet-connected PC. While we didn’t observe GoldenDealer directly executing GoldenRobo, we observed the latter also running on the connected PC, used to take files from the USB drive and exfiltrate them to its C&C server,” ESET notes.

Advertisement. Scroll to continue reading.

Written in Python, the GoldenHowl backdoor was designed to run on internet-connected systems and consisted of modules responsible for functions ranging from persistence to C&C communication and data gathering and exfiltration.

Written in Go, the GoldenRobo component would execute the Robocopy utility to exfiltrate files to the C&C server. The cybersecurity firm believes that the attackers used another component to copy files from the air-gapped system to the USB drive.

Between September 2019 and January 2024, GoldenJackal also used the previously detailed JackalControl, JackalSteal, and JackalWorm malware against the embassy.

Starting May 2022, the APT was observed targeting a governmental organization in an unnamed European country with a new toolset, relying on a modular approach for performing various tasks, where some machines were used for data exfiltration, others as internal servers, and others for file collection.

“Most of these tools are written in Go and provide diverse capabilities, such as collecting files from USB drives, spreading payloads in the network via USB drives, exfiltrating files, and using some PCs in the network as servers to deliver diverse files to other systems. In addition, we have seen the attackers using Impacket to move laterally across the network,” ESET says.

The toolset included GoldenUsbCopy and GoldenUsbGo, which copy files to an encrypted container on inserted USB drives, GoldenAce, a distribution tool for propagating executables and retrieving files via USB drives, GoldenBlacklist and GoldenPyBlacklist, which are processing components, GoldenMailer and GoldenDrive, for file exfiltration, and Python’s HTTP server.

“Managing to deploy two separate toolsets for breaching air-gapped networks in only five years shows that GoldenJackal is a sophisticated threat actor aware of network segmentation used by its targets,” ESET notes.

Related: Iranian APT Operating as Initial Access Provider to Networks in the Middle East

Related: Kaspersky Flags Cyberespionage APT ‘CloudSorcerer’ Targeting Russian Government

Related: Google Sees More APTs Using Ukraine War-Related Themes

Related: Nation-State APT Targets Afghans With New Toolset

Read Entire Article