The newly discovered toolset is made up of many different building blocks, written in multiple languages and capabilities. The overall goal appears to be greater flexibility and resilience in case a module is detected by the target.
“Their goal is to obtain data from isolated systems and stay under the radar as much as possible,” Costin Raiu, a researcher who worked at Kaspersky at the time he was investigating GoldenJackal, wrote in an interview. “The multiple exfiltration mechanisms indicate a very flexible tool set that can adapt to all types of situations. These many tools indicate that it is a highly customizable framework where they implement exactly what they need rather than an all-purpose malware that can do anything.”
Other new insights offered by ESET’s research are GoldenJackal’s interest in targets located in Europe. Kaspersky researchers detected that the group targeted Middle Eastern countries.
Based on the information available to Kaspersky, the company’s researchers were unable to attribute GoldenJackal to any specific country. ESET has also not been able to definitively identify the country, but did find an indication that the threat group could have a link to Turla, a powerful hacking group working on behalf of the Russian intelligence agency FSB. The link comes in the form of a command and control protocol in GoldenHowl called transport_http. The same expression is found in malware known to originate from Turla.
Raiu said the highly modular approach is also reminiscent of red octoberan elaborate spy platform discovered in 2013 targeting hundreds of diplomatic, government and scientific organizations in at least 39 countries, including the Russian Federation, Iran and the United States.
While much of Tuesday’s report contains technical analysis that is likely too advanced for many people to understand, it provides important new information that deepens knowledge of gap-jumping malware and the tactics, techniques and procedures of those who use it. The report will also be useful to those responsible for safeguarding the types of organizations that are most frequently targeted by nation-state groups.
“I would say this is especially interesting for security personnel working in embassies and government CERTs,” Raiu said. “They need to check these TTPs and keep an eye on them in the future. If you were previously a victim of Turla or Red October, I would be on the lookout for this.”
This story originally appeared on Ars Technique.
