A threat group that essentially has been flying under the radar for at least the past five years has been using novel tools to attack embassies and other government entities in cyberespionage campaigns aimed at compromising air-gapped systems.

The group, dubbed GoldenJackal and armed with two sets of bespoke toolsets, has set its sights over the years on diplomatic organizations in Europe, the Middle East, and South Asia, according to researchers with cybersecurity firm ESET.

The researchers in 2022 discovered a toolset they couldn’t tie to any advanced persistent threat (APT) group. However, working backwards, ESET researchers were able to link tools used by GoldenJackal to attacks on a South Asian embassy in Belarus in in August and September 2019 and again in July 2021. Most recently, a governmental organization in Europe was targeted by the same group May 2022 to March.

In between, the Kaspersky researchers last year noted a limited number of attacks against similar targets in the Middle East and South Asia starting in 2020, Matías Porolli, a malware researcher with ESET, wrote in a report.

All the campaigns were linked together by the use of at least one of the tools Kaspersky identified in its report, Porolli wrote. Neither ESET nor Kaspersky could identify what country GoldenJackal originates from, but in one of the tools – GoldenHowl, a backdoor written in Python from the 2019 toolset – the command-and-control (C2) protocol is referred to with an expression typically used by Turla, a Russia-base cyberespionage group, giving credence to the idea that GoldenHowl’s developers are Russian speakers.

Porolli wrote that ESET hasn’t been able to figure out how GoldenJackal initially accesses the systems, though Kaspersky researchers last year said the group uses trojanized software and malicious documents.

Jumping the Air Gaps

GoldenJackal also appears to be a highly resourceful group, he wrote. Organizations use air-gapped systems – which are isolated from the internet of other networks – to store and protect highly sensitive information, which makes them particularly attractive to bad actors.

“Compromising an air-gapped network is much more resource-intensive than breaching an internet-connected system, which means that frameworks designed to attack air-gapped networks have so far been exclusively developed by APT [advanced persistent threat] groups,” Porolli wrote. “The purpose of such attacks is always espionage, perhaps with a side of sabotage.”

Air-gapped systems and networks have been used for years, but the increasingly interconnected and digitized nature of modern IT infrastructures and the convergence of IT and operational technologies (OT) work against them. In addition, highly sophisticated modern threat groups are finding ways around them.

“Information technology (IT) needs to fluidly connect with the outside world in order channel a flow of digital information across everything from endpoints and email systems to cloud and hybrid infrastructures,” cybersecurity company Darktrace wrote last year. “At the same time, this high level of connectivity makes IT systems particularly vulnerable to cyber-attacks.”

Two Toolsets

Given the level of sophistication needed to compromise air-gapped systems, it was unusual that GoldenJackal was able to build and deploy two distinct toolsets to attack them, according to ESET. The tools used against the South Asian embassy in Belarus was specific to those attacks and involved three components, including GoldenDealer, which was used to deliver malware to the air-gapped system through USB monitoring.

The other two were GoldenHowl and GoldenRobo, used to collect and exfiltrate files.

Weeks after the deploying that toolset, GoldenJackal because using other malicious tools on the same systems it already had compromised. Those tools included the JackalControl backdoor, JackalSteal file collector and exfiltrator, and JackalWorm, which the attackers used to propagate other malicious components – including JackalControl – through USB drives.

Going Modular

Starting in 2022 with the more recent attacks in Europe, the threat group began using a new and more modular toolset, with most of the malware written in the Go programming language and delivering a range of capabilities, from collecting files from USB drives and spreading payloads in the network through USB drives to exfiltrating files.

The toolset also used PCs in the network as servers to deliver other files to other system. In addition, the bad actors also used Impacket to move laterally through the networks.

“In the observed attacks, GoldenJackal started to use a highly modular approach, using various components to perform different tasks,” Porolli wrote. “Some hosts were abused to exfiltrate files, others were used as local servers to receive and distribute staged files or configuration files, and others were deemed interesting for file collection, for espionage purposes.”

The toolset included components like GoldenUsbCopy, for monitoring the insertion of USB drives and copying files to be exfiltrated by other components, and GoldenAce, for propagating malicious executables and retrieving staged files via USB drives. There also are two components for exfiltrating files: GoldenMailer, by sending emails with attachments to attacker-controlled accounts, and GoldenDrive, which uploads the exfiltrate files to Google Drive.