“Bridging the Gap: GoldenJackal Enhances Government Safeguards”

MITRE Techniques

• [T1583.003] Acquire Infrastructure: Virtual Private Server – GoldenJackal probably acquired a VPS server for C&C operations. “GoldenJackal probably acquired a VPS server for C&C operations.”
• [T1583.004] Acquire Infrastructure: Server – GoldenJackal likely acquired a server for primary C&C operations. “GoldenJackal likely acquired a server for primary C&C operations.”
• [T1584.006] Compromise Infrastructure: Web Services – GoldenJackal has used compromised WordPress sites for C&C infrastructure, used by the JackalControl and JackalSteal malware. “GoldenJackal has used compromised WordPress sites for C&C infrastructure.”
• [T1587.001] Develop Capabilities: Malware – GoldenJackal develops its own custom malware. “GoldenJackal develops its own custom malware.”
• [T1585.003] Establish Accounts: Cloud Accounts – GoldenJackal has used Google Drive to store exfiltrated files and legitimate tools. “GoldenJackal has used Google Drive for file exfiltration.”
• [T1588.002] Obtain Capabilities: Tool – GoldenJackal uses legitimate tools, such as Plink and PsExec, for post-compromise operations. “GoldenJackal uses legitimate tools for post-compromise operations.”
• [T1059.001] Command and Scripting Interpreter: PowerShell – GoldenJackal executed PowerShell scripts to download the JackalControl malware from a compromised WordPress website. “GoldenJackal executed PowerShell scripts to download the JackalControl malware from a compromised WordPress website.”
• [T1059.003] Command and Scripting Interpreter: Windows Command Shell – GoldenAce uses cmd.exe to run a batch script to execute other malicious components. “GoldenAce uses cmd.exe to run a batch script.”
• [T1059.006] Command and Scripting Interpreter: Python – GoldenHowl contains various malicious modules that are Python scripts. “GoldenHowl contains various malicious modules that are Python scripts.”
• [T1106] Native API – GoldenDealer can copy and run an executable file with the CreateProcessW API. “CreateProcessW API.”
• [T1569.002] System Services: Service Execution – GoldenDealer can run as a service. “GoldenDealer can run as a service.”
• [T1204.002] User Execution: Malicious File – JackalWorm uses a folder icon to entice a potential victim to launch it. “JackalWorm uses a folder icon to entice a potential victim to launch it.”
• [T1543.003] Create or Modify System Process: Windows Service – GoldenDealer creates the service NetDnsActivatorSharing to persist on a compromised system. “NetDnsActivatorSharing.”
• [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – If GoldenDealer fails to create a service, a Run registry key is used for persistence. “Run registry key.”
• [T1053.005] Scheduled Task/Job: Scheduled Task – GoldenHowl creates the scheduled task MicrosoftWindowsMultimediaSystemSoundsService2 for persistence. “
• [T1564.001] Hide Artifacts: Hidden Files and Directories – GoldenDealer modifies the registry to hide files. “Hide files.”
• [T1070.004] Indicator Removal: File Deletion – GoldenAce deletes payloads after execution. “deletes payloads after they are run.”
• [T1036.005] Masquerading: Match Legitimate Name or Location – GoldenUsbCopy uses a legitimate Firefox directory to stage files. “C:UsersAppDataRoamingMozillaFirefox.”
• [T1036.008] Masquerading: Masquerade File Type – JackalWorm disguises itself as a non-executable file. “disguises itself as a non-executable file.”
• [T1112] Modify Registry – GoldenDealer modifies the registry to hide files. “modifies the registry to hide files.”
• [T1027.013] Obfuscated Files or Information: Encrypted/Encoded File – GoldenJackal uses various encryption methods for its toolset. “encryption methods for its toolset.”
• [T1552.001] Unsecured Credentials: Credentials In Files – GoldenUsbGo looks for files associated with credentials. “searches for files associated with credentials.”
• [T1552.004] Unsecured Credentials: Private Keys – GoldenUsbGo looks for files containing private keys. “files containing private keys.”
• [T1087.001] Account Discovery: Local Account – GoldenDealer collects information about user accounts. “information about user accounts.”
• [T1083] File and Directory Discovery – GoldenHowl lists files and directories. “listing of files and directories.”
• [T1046] Network Service Discovery – GoldenHowl scans for open ports on remote systems. “scans for open ports on remote systems.”
• [T1120] Peripheral Device Discovery – GoldenDealer monitors USB drive insertions. “monitors USB drive insertions.”
• [T1057] Process Discovery – GoldenDealer obtains information about running processes. “running processes.”
• [T1018] Remote System Discovery – GoldenHowl scans IP ranges to find other systems. “scans IP ranges for other systems.”
• [T1518] Software Discovery – GoldenDealer collects information about installed software. “installed software.”
• [T1082] System Information Discovery – GoldenDealer collects OS and user account information. ” OS and user account information.”
• [T1016.001] System Network Configuration Discovery: Internet Connection Discovery – GoldenDealer checks internet connectivity. “checks for internet connectivity.”
• [T1135] Network Share Discovery – GoldenAce checks for mapped drives that may include network shares. “mapped drives.”
• [T1210] Exploitation of Remote Services – GoldenHowl checks for vulnerabilities for lateral movement. “checks for vulnerabilities for lateral movement.”
• [T1091] Replication Through Removable Media – GoldenDealer copies executables to USB drives; GoldenAce propagates via removable media. “Replication Through Removable Media.”
• [T1560.002] Archive Collected Data: Archive via Library – GoldenRobo and GoldenUsbCopy archive files for exfiltration. “archive files for exfiltration.”
• [T1119] Automated Collection – GoldenUsbCopy automatically stages files for exfiltration. “automatically stage files.”
• [T1005] Data from Local System – Most GoldenJackal tools collect data from the local system. “collect data from local system.”
• [T1025] Data from Removable Media – GoldenUsbCopy/Go collect files from USB drives. “files from USB drives.”
• [T1074.001] Data Staged: Local Data Staging – Tools stage files locally for processing or exfiltration. “stage files locally.”
• [T1114.001] Email Collection: Local Email Collection – GoldenBlacklist processes collected email files. “Local Email Collection.”
• [T1071.001] Application Layer Protocol: Web Protocols – GoldenDealer and GoldenHowl use HTTPS for communication. “HTTPS for communication.”
• [T1092] Communication Through Removable Media – GoldenDealer uses USB drives to pass executables and data. “through removable media.”
• [T1132.001] Data Encoding: Standard Encoding – Executables are base64-encoded during transfer. “base64 encoded.”
• [T1572] Protocol Tunneling – GoldenHowl forwards messages through an SSH tunnel. “SSH tunnels.”
• [T1090.001] Proxy: Internal Proxy – GoldenHowl can act as a proxy for forwarding packets. “Internal Proxy.”
• [T1041] Exfiltration Over C2 Channel – GoldenHowl exfiltrates via the C2 channel. “exfiltrates files via its C&C channel.”
• [T1052.001] Exfiltration Over Physical Medium: Exfiltration over USB – USB drives used to exfiltrate from air-gapped systems. “exfiltrate files from air-gapped systems.”
• [T1567.002] Exfiltration Over Web Service: Exfiltration to Cloud Storage – GoldenDrive exfiltrates to Google Drive. “to Google Drive.”
• [T1048.002] Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol – GoldenMailer exfiltrates via SMTP. “via SMTP.”