Ethical Hacking News
GoldenJackal, a nation-state hacking group possibly from Russia, has developed two advanced toolkits to steal data from air-gapped systems. The discovery sheds new light on their tactics, techniques, and procedures, which have implications for organizations handling sensitive information.
The researchers from ESET discovered two sophisticated tool sets used by a nation-state hacking group to steal sensitive data on air-gapped devices. GoldenJackal's tools bypassed security measures designed to detect and prevent such attacks, showcasing their remarkable skill in breaching highly secure systems. The toolkit includes various components such as GoldenDealer, GoldenHowl, GoldenRobo, GoldenUsbCopy, and HTTP server, which demonstrate the group's expertise in creating air-gap-jumping tools. GoldenJackal's approach provides increased flexibility and resiliency by using modular design and multiple attack vectors to evade detection. The discovery sheds new light on the tactics, techniques, and procedures (TTPs) employed by GoldenJackal, a group known for its remarkable skill in breaching highly secure systems.
Recently, researchers from ESET have discovered two sophisticated tool sets that a nation-state hacking group—possibly from Russia—used to steal sensitive data stored on air-gapped devices. The discovery sheds new light on the tactics, techniques, and procedures (TTPs) employed by GoldenJackal, a group known for its remarkable skill in breaching highly secure systems.
Air-gapping is a security measure designed to prevent malware from infecting devices that are not connected to the internet or other networks. However, even this precautionary measure has proven vulnerable to sophisticated attacks, as demonstrated by GoldenJackal's exploits. The group's tools, which were developed over several years, have been identified through a combination of reverse engineering and analysis of malware samples.
According to ESET researcher Matías Porolli, the sophistication required to build and deploy these tool sets is quite unusual, especially considering that GoldenJackal managed to create two separate air-gap-jumping tools in just five years. This level of expertise suggests that GoldenJackal's developers have a deep understanding of computer systems and security measures.
The first generation of GoldenJackal's toolkit, developed starting in 2019, included several components designed to compromise air-gapped systems. One such component, GoldenDealer, delivered malicious executables to air-gapped systems over USB drives, while another, GoldenHowl, was a backdoor that contained various modules for different types of malicious capabilities. A third component, GoldenRobo, served as a file collector and exfiltrator.
In contrast, the newer toolkit developed by GoldenJackal is more modular in its design. This new version includes components such as GoldenUsbCopy, which monitors for the insertion of USB drives on air-gapped devices and copies them to an encrypted container stored on disk; GoldenUsbGo, a revised version of GoldenUSBCopy that appears to be more advanced; GoldenAce, a distribution tool that propagates other malicious executables and retrieves files stored on USB drives; and HTTP server, which seems to serve a purpose that has not yet been fully understood.
Another notable component of the new toolkit is GoldenBlacklist, a Python implementation of GoldenBlacklist that downloads an encrypted archive from a local server, sifts through received email messages for those of interest, and puts them in an archive for other components to exfiltrate. Additionally, there's GoldenMailer, a file collector and exfiltrator that, when connected to an internet device, exfiltrates files of interest previously stolen from an air-gapped device by attaching them to emails sent to an attacker-controlled email address.
The overall goal of these tools appears to be increased flexibility and resiliency in the event one module is detected by the target. Moreover, GoldenJackal's approach has proven effective in bypassing security measures designed to detect and prevent such attacks.
While much of this article contains technical analysis that may be too advanced for some readers, it provides crucial new insights into malware designed to jump air gaps and the tactics, techniques, and procedures of those who use them. For organizations responsible for safeguarding sensitive data, particularly those in diplomatic, governmental, or scientific roles, these findings are particularly relevant.
In conclusion, GoldenJackal's sophisticated toolkit underscores the complexities of modern cybersecurity threats and highlights the importance of continuous vigilance and monitoring by security professionals worldwide.
Related Information:
https://www.wired.com/story/goldenjackal-hacking-group-new-tools-air-gapped-machines/
https://arstechnica.com/security/2024/10/two-never-before-seen-tools-from-same-group-infect-air-gapped-devices/
https://www.bleepingcomputer.com/news/security/european-govt-air-gapped-systems-breached-using-custom-malware/
Published: Sat Oct 12 05:46:26 2024 by llama3.2 3B Q4_K_M
