Show threadChuck DarwinOct 10, 2024

Entering through the (air)gap

The older attacks seen by ESET begin by infecting internet-connected systems,
likely using trojanized software or malicious documents,
with a malware called '#GoldenDealer.'

GoldenDealer monitors for the insertion of USB drives on those systems,
and when it happens, it automatically copies itself and other malicious components onto it.

🆘 Eventually, that same USB drive is inserted into an air-gapped computer,
allowing GoldenDealer to install #GoldenHowl
(a backdoor) and #GoldenRobo
(a file stealer) onto these isolated systems.

During this phase, GoldenRobo scans the system for documents, images, certificates, encryption keys, archives, OpenVPN configuration files, and other valuable info
and stores them in a hidden directory on the USB drive.

⚠️When the USB drive is removed from the air-gapped computer and re-connected to the original internet-connected system,
GoldenDealer automatically sends the stolen data stored on the drive to the threat actor's command and control (C2) server.

GoldenHowl is a multi-functional Python backdoor
that can steal files, facilitate persistence, scan for vulnerabilities, and communicate directly with the C2.

ESET says it appears designed to run on internet-connected machines.

#JackalWorm

Chuck DarwinOct 10, 2024

An APT hacking group known as #GoldenJackal has successfully
🔥breached air-gapped government systems in Europe
💥using two custom toolsets to steal sensitive data, like emails, encryption keys, images, archives, and documents.

According to an ESET report, this happened at least two times,
one against the embassy of a South Asian country in Belarus in September 2019 and again in July 2021,
and another against a European government organization between May 2022 and March 2024.

In May 2023, Kaspersky warned about GoldenJackal's activities, noting that the threat actors focus on government and diplomatic entities for purposes of espionage.

Although their use of ❌custom tools spread over USB pen drives, like the '#JackalWorm,' was known,
cases of a successful compromise of air-gapped systems were not previously confirmed.

Air-gapped systems are used in critical operations, which often manage confidential information,
and are isolated from open networks as a protection measure.

https://www.bleepingcomputer.com/news/security/european-govt-air-gapped-systems-breached-using-custom-malware/

European govt air-gapped systems breached using custom malware

An APT hacking group known as GoldenJackal has successfully breached air-gapped government systems in Europe using two custom toolsets to steal sensitive data, like emails, encryption keys, images, archives, and documents.

BleepingComputer