A new attack is targeting networks with air-gapped machines.
Researchers with ESET uncovered a threat actor dubbed “GoldenJackal” that is using a malware infection specifically designed to target air-gapped machines: PCs that are deliberately set up to run without any network or internet connection.
Air-gapped machines are specifically designed to handle highly sensitive information or critical operational tasks. In this case, the machines in question were housed at a pair of government offices in Europe.
While GoldenJackal’s origins are unclear, previous reports noted the group resembles other Russian espionage operations in its methods and tools. So far, the group’s activities have focused on the Middle East and South Asia, though threat actors commonly pivot to Western governments and targets as needed.
In this case, the target was a South Asian government outpost based in Europe.
The attackers first set upon an internet-facing machine, installing a relatively common set of malware payloads designed to build a foothold on the network.
“The group’s known toolset includes several implants written in C#: JackalControl, JackalSteal, JackalWorm, JackalPerInfo, and JackalScreenWatcher — all of them used for espionage,” explained ESET researcher Matías Porolli.
Where things get interesting is what happens after the malware infects the external-facing machine. In addition to performing its usual malware activities such as stealing credentials and spying on user activity, the malware seeks to get itself into air-gapped computers.
This is done by targeting any connected USB drives. As air-gapped computers have no network connection, any transfer of data has to be conducted via thumb drives. This is how the malware finds its inroads.
“It is probable that this unknown component finds the last modified directory on the USB drive, hides it, and renames itself with the name of this directory, which is done by JackalWorm,” said Porolli.
“We also believe that the component uses a folder icon, to entice the user to run it when the USB drive is inserted in an air-gapped system, which again, is done by JackalWorm.”
From there, the malware checks for an internet connection by regularly dialing up CloudFlare’s 1.1.1.1 public DNS service. If the request fails, the malware assumes the system is offline and performs different tasks. From there the data is placed back on the USB drive with the intent of being handed off to another infected system that can communicate with the command-and-control server.
“In the observed attacks, GoldenJackal started to use a highly modular approach, using various components to perform different tasks,” said Porolli.
“Some hosts were abused to exfiltrate files, others were used as local servers to receive and distribute staged files or configuration files, and others were deemed interesting for file collection, for espionage purposes.”
The attacks should serve as a reminder for admins that even extreme measures such as air-gapping can be overcome and all systems in a facility should be regularly monitored and scanned.
