GoldenJackal, an advanced persistent threat (APT) hacking group, has breached air-gapped government systems in Europe by using custom malware. The group utilised two distinct toolsets to exfiltrate sensitive data, including emails, encryption keys, images, archives, and documents.
As per an ESET report, these breaches occurred on at least two occasions. The first attack targeted the embassy of a South Asian country in Belarus, first in September 2019 and again in July 2021. A second attack was carried out against a European government organisation between May 2022 and March 2024.
Cybersecurity firm Kaspersky had previously warned, in May 2023, about GoldenJackal’s activities, highlighting their focus on government and diplomatic entities for espionage.
GoldenJackal seemingly breaking into (seemingly) unbreakable systems
Although it was known that the group employed custom tools spread through USB drives, such as the JackalWorm malware, successful breaches of air-gapped systems had not been confirmed until now.
Air-gapped systems, often used to manage highly confidential information, are isolated from networks as a protective measure. However, GoldenJackal’s breaches involved infecting these systems by first compromising internet-connected machines.
The attack method described by ESET involved infecting these internet-connected systems, likely through the use of trojanised software or malicious documents. The malware used, GoldenDealer, monitors the system for the insertion of USB drives. Once a USB drive is detected, GoldenDealer copies itself and other malicious components onto the drive.
After the infected USB drive is connected to an air-gapped system, GoldenDealer enables the installation of two additional malware components: GoldenHowl, a backdoor, and GoldenRobo, which was used to steal files.
GoldenRobo searches the air-gapped system for documents, encryption keys, archives, images, OpenVPN configuration files and other data, saving them in a hidden directory on the USB drive. When the drive is removed and connected to the original internet-connected machine, GoldenDealer automatically transfers the stolen data to the threat actor’s command and control (C2) server.
GoldenHowl, a multi-functional Python-based backdoor, is designed to allow further activity on compromised systems, including file theft, persistence, and vulnerability scanning. ESET noted that GoldenHowl appeared to be intended primarily for use on internet-connected machines.
In 2022, GoldenJackal began using a new toolset developed in the Go programming language. This modular toolset allowed different machines to perform specific tasks. For instance, some machines were used for file exfiltration, while others served as file stagers or managed configuration data.
The malware used to infect USB drives is named GoldenAce. The group also deployed file-stealing tools, GoldenUsbCopy and GoldenUsbGo, with the latter being a newer version of the former.
GoldenUsbGo no longer used encryption-based configuration. Instead, it followed hardcoded instructions to exfiltrate files, targeting files modified within the last 14 days, under 20 MB in size, and containing certain keywords such as “pass,” “login,” or “key,” or specific file types like .pdf, .doc, .docx, .sh, or .bat.
GoldenBlacklist, another tool used in the attacks, and its Python-based version, GoldenPyBlacklist, filter and archive specific email messages before exfiltration. GoldenMailer is responsible for emailing the stolen data, and GoldenDrive uploads the files to Google Drive.
The presence of two toolsets, both incorporating elements described in the Kaspersky report, demonstrated GoldenJackal’s ability to develop and modify malware for espionage activities against highly protected systems.