Air-gapped systems are security measures that isolate “computers” and “networks” from external connections (like the “internet”) to block ‘unauthorized access’ and ‘cyber threats.’
This isolation can be done via “physical disconnection” or “logical configurations” that restrict the network traffic.
ESET researchers recently uncovered that to attack the Air-gapped systems, the APT group “GoldenJackal” has been actively using custom tools.
GoldenJackal Using Air-Gapped Systems
It’s been identified that the GoldenJackal APT group has been targeting a “European governmental organization” from ‘May 2022’ to ‘March 2024.’
This campaign built upon earlier attacks on “diplomatic entities” dating back to 2019. GoldenJackal specializes in “breaching air-gapped systems,” which are isolated networks that are often used for highly “sensitive data.”
The group employs a sophisticated toolset that includes malware like “GoldenDealer,” “GoldenHowl,” and “GoldenRobo.”
While all these above-mentioned malware are written in various programming languages like “C#,” “Python,” and “Go.”
These tools facilitate “USB drive monitoring,” “file exfiltration,” and “C&C communication.”
The arsenal of GoldenJackal has evolved significantly over time, as it incorporates the following components for ‘backdoor access,’ ‘data theft,’ and ‘malware propagation’ via USB drives:-
- JackalControl
- JackalSteal
- JackalWorm
The latest toolset has been observed in 2022 that features a modular approach.
The latest toolset offers “GoldenUsbCopy” and “GoldenUsbGo,” which use encryption (‘AES,’ ‘RSA’) and compression (‘gzip’) techniques to collect and direct the files for exfiltration, ESET said.
The group’s persistence and ability to develop multiple toolsets for compromising air-gapped networks show its significant resources and strategic focus on high-value targets in “government” and “diplomatic sectors” across “Europe,” “the Middle East,” and “South Asia.”
HTTP Server and GoldenAce are components of the GoldenJackal APT group’s toolkit that function as a “distribution tool” for malware propagation via “USB drives.”
It systematically checks drives “G:” through “Z:”, looking for mapped volumes. Upon finding a suitable drive, it creates a hidden “trash” directory and copies a file named “update” to it.
GoldenAce then hides the first “non-hidden directory” alphabetically and places a renamed “upgrade” file (actually a “lightweight version of JackalWorm”) in the drive’s root.
This JackalWorm variant unlike its more complex counterparts has limited functionality like the ability to copy and execute the “update” file on other systems where the USB is inserted, using a batch file (“update.bat”) to run and then delete itself.
While GoldenAce is not explicitly designed for air-gapped systems but it could breach such networks.
It operates alongside other components like “GoldenBlacklist” (‘which processes email archives’), “GoldenPyBlacklist” (‘a Python implementation for .msg files’), “GoldenMailer” (‘for email-based exfiltration using SMTP‘), and “GoldenDrive” (‘for Google Drive uploads’).
All these tools collectively enable the group to target isolated networks, which demonstrates GoldenJackal’s sophisticated approach to “cyber espionage.”
Strategies to Protect Websites & APIs from Malware Attack => Free Webinar