Meet the GoldenJackal APT group. Don’t expect any howls

MITRE Techniques

• [T1203] Exploitation for Client Execution – The Word document uses a remote template injection technique to download a malicious HTML page, which exploits the Follina vulnerability. ‘The remote webpage is a modified version of a public “Proof of Concept” to exploit the Follina vulnerability.’
• [T1071.001] Web Protocols – The malware communicates using HTTP POST requests to the C2. ‘The malware communicates using HTTP POST requests where data arguments will be carried in encoded form as part of the request’s body.’
• [T1021.002] Remote Services – Lateral movement via PsExec to start a malicious batch script. ‘the attacker using the psexec utility to start a malicious batch script.’
• [T1543.003] Create or Modify System Process: Windows Service – JackalControl can run as a Windows service. ‘The Trojan is an executable file that can be started as a standard program or as a Windows service.’
• [T1547.001] Registry Run Keys/Startup Folder – Persistence via registry Run keys. ‘Persistence is usually guaranteed with one of the following mechanisms: … creation of a Windows registry run key.’
• [T1053.005] Scheduled Task – Persistence via scheduled tasks. ‘The malware’s persistence is usually guaranteed with one of the following mechanisms: … creation of a Windows scheduled task.’
• [T1047] Windows Management Instrumentation – Information gathering via WMI queries (e.g., ‘select * from win32_computersystemproduct’ and ‘select * from win32_diskdrive’).
• [T1082] System Information Discovery – GetSysInfo collects computer name, OS version, domain, user, time, and interfaces. ‘Computer name: %s OS version: %S Domain: %S User: %S Local time: %s …’
• [T1047] Windows Management Instrumentation – See above; WMI queries used to gather hardware identifiers, such as UUID and serials. ‘The UUID value obtained from the following WMI query: select * from win32_computersystemproduct’*
• [T1041] Exfiltration Over C2 Channel – Data and command results are compressed/encrypted and uploaded via POST to C2. ‘The resulting payload is concatenated with the BOT_ID … uploaded to the remote server using the aforementioned POST request format.’
• [T1027] Obfuscated/Compressed Files and Information – DES/AES encryption and gzip-based compression used for command results and payloads. ‘The command results are usually composed into a message that also includes the values of the underlying command type and command ID, which are compressed with GZIP, encrypted with DES, and encoded with base64.’
• [T1113] Screen Capture – JackalScreenWatcher captures desktop screenshots and sends them to C2. ‘The malware can handle some arguments … The program’s primary function involves running a thread that scans all displays … it captures a screenshot and sends it to the remote server.’
• [T1036] Data from Local System – JackalPerInfo collects local system data including installed apps, processes, and browser data. ‘GetSysInfo collects … Applications: %Installed Application1% … Cookies … History …’
• [T1083] File and Directory Discovery – Watcher enumerates files in directories and subdirectories to identify targets for exfiltration. ‘the Watcher enumerates all files in the directory and its subdirectories.’