Chuck DarwinEntering through the (air)gap
The older attacks seen by ESET begin by infecting internet-connected systems,
likely using trojanized software or malicious documents,
with a malware called '#GoldenDealer.'
GoldenDealer monitors for the insertion of USB drives on those systems,
and when it happens, it automatically copies itself and other malicious components onto it.
🆘 Eventually, that same USB drive is inserted into an air-gapped computer,
allowing GoldenDealer to install #GoldenHowl
(a backdoor) and #GoldenRobo
(a file stealer) onto these isolated systems.
During this phase, GoldenRobo scans the system for documents, images, certificates, encryption keys, archives, OpenVPN configuration files, and other valuable info
and stores them in a hidden directory on the USB drive.
⚠️When the USB drive is removed from the air-gapped computer and re-connected to the original internet-connected system,
GoldenDealer automatically sends the stolen data stored on the drive to the threat actor's command and control (C2) server.
GoldenHowl is a multi-functional Python backdoor
that can steal files, facilitate persistence, scan for vulnerabilities, and communicate directly with the C2.
ESET says it appears designed to run on internet-connected machines.