Threat Actor Shares Limited Code Similarity With Turla
A suspected cyberespionage group that has been active since 2020 has targeted government and diplomatic entities in the Middle East and South Asia using a malware tool set capable of controlling victims’ machines and exfiltrating system data and credentials.
Security researchers at Kaspersky said a group they track as GoldenJackal APT group has malware with some similarities to malware linked to a Russian-speaking threat actor.
Kaspersky stops short of definitively connecting GoldenJackal with any known threat actor but says GoldenJackal malware to similar to Kazuar, a Trojan used by the Russian state cyberespionage group Turla, also known as Uroburos, Snake and Venomous Bear. The Kaspersky researchers say the overlap lies in the UID generation algorithm, which “overlaps somewhat with that used by Kazuar.”
GoldenJackal uses spear-phishing, vulnerability exploitation and a
.NET malware tool set to establish persistence in victims’ machines, spread across systems and exfiltrate information such as account credentials, system information, browser history and user files.
The APT group’s primary infection vectors are spear-phishing emails containing fake Skype installers and malicious Word documents. The fake Skype installer downloads a legitimate Skype app for business application while it surreptitiously downloads the Trojan that Kaspersky calls JackalControl.
The cyberespionage group has evaded public attention so far. Kaspersky in May 2022 spotted the group sending emails to Pakistani government agencies requesting information about foreign service officers who had received awards and medals.
The APT group in that instance used a malicious document that downloaded an HTML page that exploited the Follina vulnerability, a now-patched zero-day allowing arbitrary code execution in Microsoft Office, to download and execute a file named
GoogleUpdateSetup.exe that installed the JackalControl malware. The group used the Follina exploit only two days after it became public.
The Pakistani government in 2022 issued a cybersecurity advisory warning officials about hackers targeting “diplomatic missions in Afghanistan and Pakistan” and establishing persistence on infected systems.
The JackalControl Trojan enables attackers to remotely control an infected system and instruct the malware to execute arbitrary programs or to upload or download arbitrary files to or from the local system. The APT group routinely updates the malware Trojan and several versions of it exist at this time.
“Over the years the attackers have distributed different variants: some include code to maintain persistence, others were configured to run without infecting the system; and the infection procedure is usually performed by other components,” the researchers wrote.
Kaspersky says the APT group targeted government and diplomatic entities in Afghanistan, Azerbaijan, Iran, Iraq, Pakistan and Turkey.