ESET researchers found a collection of assaults on a governmental group in Europe utilizing instruments able to concentrating on air-gapped techniques. The marketing campaign, which we attribute to GoldenJackal, a cyberespionage APT group that targets authorities and diplomatic entities, happened from Might 2022 to March 2024. By analyzing the toolset deployed by the group, we have been in a position to establish an assault GoldenJackal carried out earlier, in 2019, towards a South Asian embassy in Belarus that, but once more, focused the embassy’s air-gapped techniques with customized instruments.
This blogpost introduces beforehand undocumented instruments that we attribute to GoldenJackal based mostly on victimology, code, and practical similarities between the toolsets.
Key factors of the blogpost:
GoldenJackal used a customized toolset to focus on air-gapped techniques at a South Asian embassy in Belarus since at the least August 2019. On this blogpost, we describe these instruments publicly for the primary time.
This blogpost additionally options the primary public description of a extremely modular toolset GoldenJackal deployed on numerous events between Might 2022 and March 2024 towards a nationwide authorities group of a rustic within the European Union.
These toolsets present GoldenJackal a large set of capabilities for compromising and persisting in focused networks. Victimized techniques are abused to gather fascinating data, course of the knowledge, exfiltrate recordsdata, and distribute recordsdata, configurations and instructions to different techniques.
The last word objective of GoldenJackal appears to be stealing confidential data, particularly from high-profile machines that may not be related to the web.
GoldenJackal profile
GoldenJackal is an APT group energetic since at the least 2019. It targets authorities and diplomatic entities in Europe, the Center East, and South Asia. The group is little recognized and has solely been publicly described in 2023 by Kaspersky. The group’s recognized toolset consists of a number of implants written in C#: JackalControl, JackalSteal, JackalWorm, JackalPerInfo, and JackalScreenWatcher – all of them used for espionage.
Overview
In Might 2022, we found a toolset that we couldn’t attribute to any APT group. However as soon as the attackers used a software just like a kind of publicly documented by Kaspersky, we have been in a position to dig deeper and to discover a connection between the publicly documented toolset of GoldenJackal and this new one.
Extrapolating from that, we managed to establish an earlier assault the place the publicly documented toolset was deployed, in addition to an older toolset that additionally has capabilities to focus on air-gapped techniques. This blogpost shines a light-weight on the technical facets of the publicly undocumented toolsets, and shares some insights about GoldenJackal’s ways, methods, and procedures.
Victimology
GoldenJackal has been concentrating on governmental entities in Europe, the Center East, and South Asia. We detected GoldenJackal instruments at a South Asian embassy in Belarus in August and September 2019, and once more in July 2021.
Kaspersky reported a restricted variety of assaults towards authorities and diplomatic entities within the Center East and South Asia, beginning in 2020.
Extra lately, in response to ESET telemetry, a nationwide authorities group of a rustic within the European Union was repeatedly focused from Might 2022 till March 2024.
Attribution
All of the campaigns that we describe on this blogpost deployed, sooner or later, at the least one of many instruments attributed to the GoldenJackal APT group by Kaspersky. As was the case within the Kaspersky report, we will’t attribute GoldenJackal’s actions to any particular nation-state. There may be, nonetheless, one clue that may level in direction of the origin of the assaults: within the GoldenHowl malware, the C&C protocol is known as transport_http, which is an expression sometimes utilized by Turla (see our ComRat v4 report) and MoustachedBouncer. This will likely point out that the builders of GoldenHowl are Russian audio system.
Breaching air-gapped techniques
In an effort to reduce the danger of compromise, extremely delicate networks are sometimes air gapped, i.e., remoted from different networks. Often, organizations will air hole their most precious techniques, corresponding to voting techniques and industrial management techniques working energy grids. These are sometimes exactly the networks which might be of most curiosity to attackers.
As we acknowledged in a earlier white paper titled Leaping the air hole: 15 years of nation-state effort, compromising an air-gapped community is way more resource-intensive than breaching an internet-connected system, which implies that frameworks designed to assault air-gapped networks have to date been completely developed by APT teams. The aim of such assaults is all the time espionage, maybe with a facet of sabotage.
With the extent of sophistication required, it’s fairly uncommon that in 5 years, GoldenJackal managed to construct and deploy not one, however two separate toolsets designed to compromise air-gapped techniques. This speaks to the resourcefulness of the group. The assaults towards a South Asian embassy in Belarus made use of customized instruments that we have now solely seen in that particular occasion. The marketing campaign used three predominant parts: GoldenDealer to ship executables to the air-gapped system by way of USB monitoring; GoldenHowl, a modular backdoor with numerous functionalities; and GoldenRobo, a file collector and exfiltrator.
Within the newest collection of assaults towards a authorities group in Europe, GoldenJackal moved on from the unique toolset to a brand new, extremely modular one. This modular method utilized not solely to the design of the malicious instruments (as was the case with GoldenHowl), but additionally to their roles: they have been used, amongst different issues, to gather and course of fascinating data, to distribute recordsdata, configurations, and instructions to different techniques, and to exfiltrate recordsdata.
Technical evaluation
Preliminary entry
Thus far, we haven’t been in a position to hint again to the preliminary compromise vector within the campaigns seen in our telemetry. Notice that Kaspersky reported in a blogpost that GoldenJackal used trojanized software program and malicious paperwork for this function.
The mysterious toolset from 2019
The earliest assault that we have now attributed to GoldenJackal, which focused a South Asian embassy in Belarus, occurred in August 2019. The toolset used on this assault is, to the perfect of our data, publicly undocumented. We’ve solely noticed the next customized instruments as soon as, and by no means once more:
A malicious element that may ship executables to air-gapped techniques by way of USB drives. We’ve named this element GoldenDealer.
A backdoor, which we’ve named GoldenHowl, with numerous modules for malicious capabilities.
A malicious file collector and exfiltrator, which we’ve named GoldenRobo.
An outline of the assault is proven in Determine 1. The preliminary assault vector is unknown, so we assume that GoldenDealer and an unknown worm element are already current on a compromised PC that has entry to the web. At any time when a USB drive is inserted, the unknown element copies itself and the GoldenDealer element to the drive. Whereas we didn’t observe this unknown element, we have now seen parts with comparable functions – corresponding to JackalWorm – in different toolsets utilized in later assaults carried out by the group.
Determine 1. Overview of the preliminary compromise of an air-gapped system
It’s possible that this unknown element finds the final modified listing on the USB drive, hides it, and renames itself with the title of this listing, which is completed by JackalWorm. We additionally imagine that the element makes use of a folder icon, to entice the consumer to run it when the USB drive is inserted in an air-gapped system, which once more is completed by JackalWorm.
When the drive is once more inserted into the internet-connected PC, GoldenDealer takes the details about the air-gapped PC from the USB drive and sends it to the C&C server. The server replies with a number of executables to be run on the air-gapped PC. Lastly, when the drive is once more inserted into the air-gapped PC, GoldenDealer takes the executables from the drive and runs them. Notice that this time no consumer interplay is required, as a result of GoldenDealer is already working.
We have now noticed GoldenDealer working GoldenHowl on an internet-connected PC. Whereas we didn’t observe GoldenDealer straight executing GoldenRobo, we noticed the latter additionally working on the related PC, used to take recordsdata from the USB drive and exfiltrate them to its C&C server. There have to be one more unknown element that copies recordsdata from the air-gapped PC to the USB drive, however we haven’t noticed it but.
GoldenDealer
This element displays the insertion of detachable drives on each air-gapped and related PCs, in addition to web connectivity. Based mostly on the latter, it will possibly obtain executable recordsdata from a C&C server and conceal them on detachable drives, or retrieve them from these drives and execute them on techniques that don’t have any connectivity.
This system may be run with or with out arguments. When run with arguments, it takes a path to a file that it strikes to a brand new location after which runs by way of the CreateProcessW API with out making a window.
To stop hidden recordsdata being proven in Home windows Explorer, GoldenDealer creates the ShowSuperHidden worth within the HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvanced registry key, and units it to zero.
In case GoldenDealer will not be working as a service, it creates and begins a service known as NetDnsActivatorSharing, then exits. If for any cause the service couldn’t be created, persistence is achieved by creating an entry in a Run registry key.
Desk 1 reveals the record of configuration recordsdata utilized by GoldenDealer. These are situated within the listing from which the malware is working: C:WindowsTAPI within the noticed assault. Extra particulars about these recordsdata is offered in subsequent sections.
Desk 1. Configuration recordsdata utilized by GoldenDealer
Filename
Function
b8b9-de4d-3b06-9d44
Retailer standing fields.
fb43-138c-2eb0-c651
Retailer executable recordsdata despatched by the C&C server.
130d-1154-30ce-be1e
Retailer details about all compromised PCs within the community.
38c4-abb9-74f5-c4e5
Used as a mutex. If this file is open, it implies that an occasion of GoldenDealer is already working.
The contents of configuration recordsdata are JSON formatted, and saved XOR encrypted on disk. XOR encryption is carried out one byte at a time, with a single-byte key that’s incremented based mostly on a multiplier.
Community connectivity thread
In an effort to decide whether or not a PC is related to the web, GoldenDealer sends a GET request to https://1.1.1.1/<user_id> each quarter-hour. If the connection fails, or there’s no reply, the PC is assumed to be offline. 1.1.1.1 maps to Cloudflare’s DNS resolver, and the anticipated conduct is to obtain a Not Discovered doc and a 404 standing code. The <user_id> half will not be related right here, however is used for C&C communication. GoldenDealer generates this consumer identifier based mostly on:
The present username as discovered by way of the GetUserNameW API.
The serial variety of the primary out there logical drive within the system. This doesn’t essentially imply the drive the place the OS is put in.
These two strings are individually hashed with the FNV-1a operate, and the ensuing numbers are XORed collectively, acquiring a quantity that identifies the consumer.
To maintain monitor of community connectivity standing, GoldenDealer makes use of a world variable that may maintain any of the next values:
0 – Malware began working and connectivity has not been checked.
1 – PC doesn’t have web connectivity.
2 – PC has web connectivity.
If the standing is 2, a thread is signaled to obtain executable recordsdata from the C&C server, and one other thread is signaled to repeat the executables to USB drives. A thread to get executables from drives and run them will solely be signaled when the standing is 1. At any time when the standing adjustments, the configuration file b8b9-de4d-3b06-9d44 is up to date with the brand new worth. Fields on this file are:
wmk – community connectivity standing.
qotwnk – variety of seconds with out web. This worth is incremented each quarter-hour and reset to zero when there’s connectivity. It may be used if the malware is configured to attend a minimal variety of seconds earlier than deciding that the PC has no connectivity, however there was no wait within the samples that we noticed.
ltwnk – unknown. This discipline will not be utilized by the malware.
rpk – record with hashes of executables downloaded from the C&C server.
Downloader thread
This thread checks the community connectivity standing each half-hour, and solely performs the next actions if the PC is related to the web. First, a GET request is distributed to https://83.24.9[.]124/<user_id>, simply to let the C&C server know that one other request is to comply with. The reply from the server will not be processed. If the request fails, then one other request is distributed to a secondary server, http://196.29.32[.]210/<user_id>, in all probability to inform about failure, because the thread doesn’t proceed to execute on this case. The URLs are hardcoded within the malware and should not configurable within the samples that we noticed.
When communication is profitable, GoldenDealer sends a request to https://83.24.9[.]124/<user_id>/fc93-10f4-2a68-d548. The server replies with an array of JSON objects with the next fields:
ek – a base64-encoded string that’s an executable file after being decoded,
tpik – an array of user_ids used to resolve whether or not the executable will likely be run,
hek – the FNV-1a hash of ek, and
apk – date and time when the executable was obtained from the C&C server.
The contents of the final two fields should not related, as a result of they’re calculated by the downloader thread, changing unique knowledge despatched by the C&C server. In each circumstances, they’re saved as decimal numbers.
GoldenDealer will run an executable despatched by the server if the corresponding user_id is within the tpik record, and the hek hash will not be within the record of hashes saved within the rpk discipline within the configuration. In different phrases, related PCs can obtain executables and cross them alongside to different techniques by way of USB drives, however they will additionally run obtained executables. When an executable is run, its hash is added to the rpk record, making certain that it’ll solely be executed as soon as by that sufferer. Every executable is written within the working listing with the worth of <hek> as its filename. All JSON objects with obtained executables are saved on disk, within the file fb43-138c-2eb0-c651.
As the ultimate step, the downloader thread collects details about the compromised system and sends it to https://83.24.9[.]124/<user_id>/a1e7-4228-df20-1600. The configuration file 130d-1154-30ce-be1e is up to date to retailer this data as effectively. Determine 2 reveals a part of the JSON object with the knowledge despatched to the C&C server. Whereas all strings are despatched as arrays of decimal character codes, for readability we present them as strings within the picture. For instance, as a substitute of lsass.exe, the worth [108, 115, 97, 115, 115, 46, 101, 120, 101] is definitely despatched.
Determine 2. A part of the knowledge despatched by the downloader thread to the C&C server
The members are:
iepk – a Boolean worth that signifies whether or not the GoldenDealer course of is elevated,
pclk – an array of working processes,
pglk – an array of put in applications in each Program Information and Program Information (x86) directories,
pik – the user_id,
sik – details about the working system (together with model, construct, service pack quantity; structure; and Boolean values indicating whether or not the OS is working on a server, area controller, or workstation),
uck – the consumer who’s working the GoldenDealer course of, and
ulk – an array of all customers, every with a Boolean worth indicating whether or not the consumer has administrator privileges.
USB monitoring thread on related PCs
GoldenDealer displays the insertion of detachable drives by making a window titled defaultWindow with a customized occasion handler that processes inserted gadgets and ignores all different system occasions.
As soon as a USB drive has been inserted, this thread patches one byte within the grasp boot report (MBR) of that drive: it searches for the offset the place the BOOTMGR string resides, and replaces the primary O with 0. Then it checks whether or not the second O has additionally been patched to 0, and exits if it hasn’t. The USB thread that runs on air-gapped PCs does the other: it patches the second O, and checks whether or not the primary has already been patched. Because of this the USB drive must have been inserted in each a related PC and an air-gapped PC for the drive to be processed.
If the test is profitable, a hidden listing is created on the USB drive, with two recordsdata written inside:
37b3-ebe5-568e-0676 – this file has the identical contents as fb43-138c-2eb0-c651 (all of the executables despatched by the C&C server). It’s used to cross the executables to air-gapped techniques, for execution.
bc41-ac6f-e55e-61a8 – a file with data from air-gapped PCs. It’s created empty by this thread, then populated by the USB thread working on air-gapped PCs. The contents of this file are appended to the native file 130d-1154-30ce-be1e (see Desk 1), to be despatched to the C&C server by the downloader thread.
USB monitoring thread on air-gapped PCs
That is complementary to the thread described within the earlier part: it takes the file 37b3-ebe5-568e-0676 with executables on the USB drive and copies its contents to the native file fb43-138c-2eb0-c651. It additionally takes the native file 130d-1154-30ce-be1e with details about the air-gapped system and provides its contents to the bc41-ac6f-e55e-61a8 file on the USB drive. The code to acquire system data and to run executables is contained on this thread.
GoldenHowl
One other software from GoldenJackal’s 2019 toolset is GoldenHowl, a backdoor written in Python that consists of varied modules for malicious functionalities. It’s distributed as a self-extracting archive that incorporates respectable Python binaries and libraries, in addition to malicious scripts. Determine 3 reveals the contents of one in all these archives. The attackers renamed the Python executable – in model 2.7.15 – as WinAeroModule.exe. This element is meant to be run on PCs with web connectivity, given its functionalities.
Determine 3. Contents of GoldenHowl’s self-extracting archive
The preliminary script in GoldenHowl, known as core_script within the malware’s configuration file, performs the next actions:
decrypts and hundreds the malware’s configuration from a JSON file,
creates directories utilized by the malware, and
begins a thread for every module.
The malware’s configuration is decrypted utilizing the Fernet algorithm, with the hardcoded key _ylmUTbqcx6FxMZ5ZvNxDQZYuNh41yxhKcPJLzxgqEY=. Determine 4 reveals a part of the decrypted configuration.
Determine 4. A part of GoldenHowl’s decrypted configuration
Desk 2 reveals the Python modules that we’ve noticed – within the order that they seem within the config – together with an outline of their functionalities. All modules run indefinitely, apart from the persistence_schtasks module, which runs solely as soon as.
Desk 2. Malicious modules in GoldenHowl
Module title
File on disk
Description
persistence_schtasks
5991-8d44-b226-0e6c.py
Creates the scheduled job MicrosoftWindowsMultimediaSystemSoundsService2 to persist the execution of core_script.
files_tree
edc5-4055-37cd-d2d2.py
Generates an inventory of recordsdata and directories by calling Home windows’ tree command, for a path laid out in a request despatched by the C&C.
files_stealer
5488-240b-c00f-203a.py
Exfiltrates a single file to the C&C server. The file path is laid out in a request despatched by the C&C.
data_transform
8744-a287-35be-4ea0.py
Utility module that takes incoming requests from the C&C server and decrypts them, and takes responses from different modules that should be despatched to the C&C and encrypts them. The encryption algorithm is Fernet, and the secret’s particular to this module: QRqXhd_iB_Y3LpT2wTVK6Dao5uOq2m5KMiVkMnJfgw4=
transport_http
63d5-be5f-e4df-7e65.py
Utility module that uploads and downloads recordsdata from the C&C server. See the C&C communication part for extra data. Notice that the phrase transport is usually utilized by Turla and MoustachedBouncer to seek advice from a sort of C&C protocol. Though this is likely to be shared throughout Russian-speaking builders, it is a low confidence factor for attribution.
updater
c7b4-0999-aec4-a0c8.py
Utility module that receives a ZIP archive with up to date modules or configuration from the C&C server, extracts the archive, and runs core_script in a brand new course of, terminating the present course of.
sshcmd
1ee0-7c3a-3331-4df3.py
Connects to an SSH server laid out in a request despatched by the C&C. Acts as a reverse shell, executing instructions obtained from the C&C.
ipscanner
a86b-108c-36c7-6972.py
Generates an inventory with energetic IP addresses in an IP vary, based mostly on an IP masks laid out in a request despatched by the C&C server. To take action, it first sends a message to all IP addresses within the vary, on port 59173, after which it runs the command arp -a to acquire the ARP cache tables for all interfaces.
portscanner
2648-69f9-6dc0-3476.py
Generates an inventory with ports which might be accepting connections, based mostly on an IP handle and an inventory of ports laid out in a request despatched by the C&C server.
sshtunnel
9ea4-fb87-6d57-924a.py
Creates an SSH tunnel with an SSH server, to ahead messages going from (and to) a number on a listening port, to a forwarding port on the SSH server. A request from the C&C server specifies: the handle and port of the SSH server, username and password for the SSH session, the forwarding port on the SSH server, and the handle and port of the listening host.
eternalbluechecker
4b19-7f72-8c17-dceb.py
Checks whether or not a number, laid out in a request despatched by the C&C server, is susceptible to a Home windows SMB distant code execution vulnerability. The code for this module is identical as in mysmb.py and checker.py from this public repository. There isn’t a code on this module to use susceptible hosts.
socks_proxy
8b55-3ac9-5c30-d0c4.py
Acts as a proxy server, forwarding packets from a supply handle to a vacation spot handle. The port to pay attention for incoming connections is laid out in a request despatched by the C&C server. The code on this module is similar to that of pysoxy.
text_writer
0ffc-667e-dce4-b270.py
Writes a textual content file to a given path. The trail and textual content for writing are laid out in a request despatched by the C&C server.
C&C communication
In line with GoldenHowl’s configuration, something that comes from the C&C server is known as a request, and recordsdata going to the C&C server characterize a response. It needs to be famous that regardless of this naming conference, GoldenHowl will not be a passive implant: it initiates the connections to the C&C server. The transport_http module is accountable for communication with the C&C server, and for writing requests and responses to particular directories. Desk 3 reveals directories utilized by GoldenHowl.
Desk 3. Directories in GoldenHowl’s configuration
Title in configuration
Title on disk
Description
download_dir
a700‑280c‑f067‑5a06
Shops encrypted requests coming from the C&C server.
upload_dir
b307‑05ea‑7ac8‑c369
Shops encrypted responses, with recordsdata or output of instructions, to be despatched to the C&C server.
data_dir
cda2‑b818‑3403‑b564
Shops requests despatched by the C&C server, that are taken from download_dir, decrypted, and positioned on this listing for modules to course of. Additionally shops output of executed instructions (responses), that are taken from this listing, encrypted, and written to upload_dir. These actions are carried out by the data_transform module.
temp_dir
5bc5‑0788‑d469‑2f3a
This listing was not utilized in any noticed modules.
Requests and responses have structured filenames:
Request – <client_id><module_id><request_id><request_suffix>
Response – <client_id><module_id><request_id><response_suffix>
The fields client_id, request_suffix, and response_suffix are specified within the configuration and are frequent to all modules (see Determine 4 for examples). The sphere module_id signifies which module must course of a request or generate a response, and is outlined within the configuration part of every particular person module. The sphere request_id is generated on the C&C server, and ties collectively requests with responses.
The transport_http module sends GET requests periodically to the C&C server to test for out there requests. The configuration fields particular to this module are:
server_address – handle of the C&C server (we noticed 83.24.9[.]124, the identical handle as GoldenDealer’s server),
server_port – the port used to speak with the server (we noticed 443),
server_use_ssl – signifies whether or not HTTP or HTTPS will likely be used for communication,
base_timeout_sec – the minimal wait time earlier than contacting the C&C server, and
timeout_filename – the filename of a textual content file with a quantity between 0 and 3600, to specify a unique variety of seconds to attend between communications. This file will not be included with GoldenHowl, but it surely may very well be positioned by the attackers with the text_writer module.
The handle used to contact the C&C server is https://<server_address>:<server_port>/<client_id>/.
GoldenRobo
The final of the noticed instruments from the 2019 toolset, GoldenRobo, is an easy element written in Go that executes the Robocopy utility to stage recordsdata and ship them to its C&C server. It iterates throughout all drive letters from A to Z, making an attempt to entry every drive. If profitable, a Robocopy command is constructed:
robocopy <drive_letter>: <malware_folder>1516-fe89-ad12-8102<drive_letter> *.doc *.docx *.xls *.xlsx *.ppt *.pptx *.pdf *.rtf *.tif *.jpg *.jpeg *.crt *.key *.p12 *.ovpn *.zip *.rar “” /S /R:0 /MAXAGE:7 /XD <malware_folder>1516-fe89-ad12-8102 1516-fe89-ad12-8102 “Utility Information” “All Customers” “Paperwork and Settings” “Native Settings”
If we break down the command:
recordsdata are copied from drive_letter,
to <malware_folder>1516-fe89-ad12-8102<drive_letter> (for instance: C:WindowsTAPI1516-fe89-ad12-8102C),
provided that the recordsdata have extensions .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .rtf, .tif, .jpg, .jpeg, .crt, .key, .p12, .ovpn, .zip, or .rar,
together with subdirectories (/S),
not retrying on failed copies (/R:0),
excluding recordsdata older than seven days (/MAXAGE:7), and
excluding specified directories (/XD).
Copied recordsdata from all drives are archived collectively in a ZIP file _1423-da77-fe86<month>-<day> in the identical listing the place GoldenRobo is working (with <month> and <day> equivalent to the present date).
The archive is distributed base64 encoded to https://83.24.9[.]124/8102/. The final a part of the URL is 8102, which is identical because the client_id discipline in GoldenHowl’s configuration. This URL is hardcoded in GoldenRobo, which tells us that the attackers compiled this model of GoldenRobo for this sufferer completely.
The recognized toolset: Beforehand documented by Kaspersky
Just a few weeks after deploying the earlier toolset, GoldenJackal began to make use of different malicious instruments on the identical compromised computer systems. In September 2019, we noticed the execution of PowerShell scripts to obtain the JackalControl backdoor. This backdoor was used to execute different PowerShell scripts, to obtain and run respectable instruments corresponding to Plink and PsExec.
In numerous assaults, between September 2019 and January 2024, we noticed the next instruments in GoldenJackal’s arsenal:
JackalControl,
JackalSteal, a file collector and exfiltrator, and
JackalWorm, used to propagate different malicious parts by way of USB drives. We noticed it propagating the JackalControl backdoor.
As these parts have already been documented by Kaspersky, we is not going to describe them on this blogpost. Nonetheless, one fascinating level to say is that in early variations of those instruments, URLs for C&C servers have been hardcoded within the malware binaries. Sooner or later, GoldenJackal modified JackalControl and JackalSteal to obtain C&C servers as arguments.
The newest toolset: Holding a foothold within the community
In Might 2022, we noticed GoldenJackal utilizing a brand new toolset whereas concentrating on a governmental group in Europe. Most of those instruments are written in Go and supply various capabilities, corresponding to gathering recordsdata from USB drives, spreading payloads within the community by way of USB drives, exfiltrating recordsdata, and utilizing some PCs within the community as servers to ship various recordsdata to different techniques. As well as, we have now seen the attackers utilizing Impacket to maneuver laterally throughout the community.
Within the noticed assaults, GoldenJackal began to make use of a extremely modular method, utilizing numerous parts to carry out totally different duties. Some hosts have been abused to exfiltrate recordsdata, others have been used as native servers to obtain and distribute staged recordsdata or configuration recordsdata, and others have been deemed fascinating for file assortment, for espionage functions. Determine 5 reveals a classification of the parts which might be described over the following sections.
Determine 5. Parts in GoldenJackal’s newest toolset
Concerning community infrastructure, we didn’t observe any exterior IP addresses in any of the analyzed parts. File exfiltrators use publicly out there companies corresponding to Google Drive or Outlook SMTP servers.
GoldenUsbCopy
GoldenUsbCopy, which we classify as a set element, displays the insertion of USB drives, and copies fascinating recordsdata to an encrypted container that’s saved on disk, to be exfiltrated by different parts. In line with strings discovered within the binary, the principle bundle for the appliance is called UsbCopy.
Newly inserted drives are detected by making a window with title WindowsUpdateManager, to obtain system occasions and course of them with a customized handler. If the handler receives a WM_DEVICECHANGE message, with an occasion sort DBT_DEVICEARRIVAL, and the system sort is DBT_DEVTYP_VOLUME, this implies a brand new drive is able to be processed. Determine 6 reveals a side-by-side comparability between decompiled code in GoldenUsbCopy and GoldenDealer. Though every was written in a unique programming language, we will see that the code retrieves the letter of the drive to course of in the identical method.
Determine 6. Code comparability between GoldenUsbCopy and GoldenDealer
GoldenUsbCopy determines which recordsdata to course of from a USB drive based mostly on a configuration that’s saved AES encrypted in CFB mode within the file experiences.ini. The 32-byte key to decrypt the configuration is hardcoded within the malware. After decryption, the configuration incorporates the next fields, in JSON format:
outputCipherFilename – full path to an encrypted archive that acts as a container for different recordsdata, corresponding to recordsdata that comprise listings of filenames from newly inserted drives, and recordsdata to be exfiltrated,
RSAKey – a public key to encrypt AES keys which might be used to encrypt recordsdata to be exfiltrated,
lastDate – recordsdata that have been final modified greater than lastDate days in the past should not processed,
registryKey – a key in HKEY_CURRENT_USER that can retailer SHA-256 hashes of recordsdata already processed for exfiltration,
registryValue – the registry worth that shops the record of hashes,
maxZIPSize – the utmost measurement in bytes for outputCipherFilename (extra particulars beneath),
maxFileSize – recordsdata bigger than maxFileSize, in bytes, should not exfiltrated, and
extensionsFile – an inventory of file extensions for exfiltration (we noticed .docx, .pdf, .doc, and .odt).
As soon as the configuration is decrypted, GoldenUsbCopy waits for a USB drive to be inserted. A list of all recordsdata on the inserted drive is written to a textual content file, which is then archived in a ZIP file, encrypted with AES, and added to outputCipherFilename. Solely the encrypted container is written to disk; intermediate steps, involving textual content recordsdata and archives, are stored in reminiscence.
An identical process is completed for recordsdata on the drive that meet the factors for exfiltration: these recordsdata are archived collectively preserving their listing construction, encrypted with AES, and added to outputCipherFilename. When choosing recordsdata for exfiltration, an inventory with SHA-256 hashes is retrieved from the registry. If the hash of a file is in that record, the file will not be exfiltrated. If the hash isn’t within the record, it’s added, in order that the file gained’t be exfiltrated once more.
At any time when including recordsdata to exfiltrate would exceed the maxZIPSize of outputCipherFilename, the surplus recordsdata should not added to the archive for exfiltration, however their paths are added to a textual content file that’s archived, encrypted, and added to outputCipherFilename.
Concerning encryption, every particular person archive that’s added to the encrypted container is encrypted with AES in CFB mode, with a key and an initialization vector (IV) which might be randomly generated on the spot. Each the important thing and IV should be saved, however solely the secret’s encrypted with RSAKey. Determine 7 reveals an instance of how these fields are saved within the encrypted container.
Determine 7. Construction of the encrypted container
GoldenUsbGo
This element is similar to GoldenUsbCopy and appears to be a later model of it, based mostly on after we noticed them in our telemetry and evaluating Go variations used to compile them. Nonetheless, GoldenUsbGo achieves the identical performance with an easier implementation:
There isn’t a configuration file. All standards for file choice are hardcoded within the malware:
if filename incorporates a particular phrase from an inventory, course of the file no matter all different standards (the record incorporates strings corresponding to cross, login, and key),
else, file measurement have to be no greater than 20 MB,
the date the file was final modified have to be not more than 14 days in the past, and
the file extension have to be one in all .pdf, .doc, .docx, .sh, or .bat.
Insertion of detachable drives will not be repeatedly monitored. A hardcoded record of drive letters is checked periodically to find out if they’ve an assigned quantity of D:, E:, F:, G:, or H:.
The record of hashes of recordsdata that have been already processed is stored in reminiscence solely.
There isn’t a measurement restrict for the encrypted container the place recordsdata are staged for exfiltration.
Information should not archived however as a substitute are compressed with gzip. Each file contents and filenames are compressed. Determine 8 reveals how compressed knowledge is organized earlier than encryption.
Determine 8. Fields used for gzip-compressed recordsdata, earlier than encryption
The trail to the encrypted container is hardcoded within the malware:
C:Customers[redacted]appdatalocalSquirrelTempSquirrelCache.dat
The hardcoded username within the path, redacted above, together with the brief record of drives and particular filenames to course of, inform us that GoldenUsbGo was compiled and tailor-made for this specific sufferer.
Compressed recordsdata are encrypted with AES in CFB mode with the hardcoded key Fn$@-fR_*+!13bN5. The construction is identical as in GoldenUsbCopy (proven in Determine 7) however with out the AES key. After compressing the recordsdata, GoldenUsbGo generates an inventory of all recordsdata on the inserted drive and provides it to the encrypted container, in the identical method as exfiltrated recordsdata. The filename for the itemizing is shaped from the present date and time, changing : with – (for instance, 15 Jan 24 13-21 PST).
GoldenAce
This element, which we categorised as a distribution software in Determine 5, serves to propagate different malicious executables and retrieve staged recordsdata by way of USB drives. Whereas it may very well be used to focus on air-gapped techniques, it’s not particularly constructed for that, versus GoldenDealer. It really works along with a light-weight model of JackalWorm and another unknown element.
GoldenAce periodically checks drives within the record G:, H:, I:, J:, Ok:, L:, M:, N:, P:, X:, Y:, and Z:, to seek out one that’s mapped to a quantity. Then it checks whether or not a trash listing exists within the root of that drive. If it doesn’t exist, it’s created as hidden, and a file known as replace is copied to that listing, from the identical location the place GoldenAce is working. The primary listing on the drive (in alphabetical order) that isn’t hidden is ready to hidden, and a file known as improve is copied to the foundation of the drive and renamed as <name_of_hidden_directory>.exe.
The file improve is definitely JackalWorm, an executable that makes use of a folder icon, and whose function is to repeat and run the replace file on one other system the place the USB drive is inserted. In contrast to the model of JackalWorm described by Kaspersky, this one may be very restricted: it doesn’t have code to watch drive insertions, and it can’t be configured to carry out numerous actions. When executed from the foundation listing of a detachable drive, it opens the hidden folder in Home windows Explorer and writes a batch file to execute the payload in replace. Contents of this file, replace.bat, are proven in Determine 9.
@echo off
copy “<drive_letter>:trashupdate” “C:UserspercentusernamepercentAppDataLocalupdate.exe”
“C:UserspercentusernamepercentAppDataLocalupdate.exe” “<drive_letter>:trash”
:check1
@tasklist | findstr /i /b “replace.exe” >nul
@if %errorlevel%==0 goto check1
@del /f /q /a h “C:UserspercentusernamepercentAppDataLocalupdate.exe”
@del /f /q “C:Customers<username>AppDataLocalupdate.bat”
Determine 9. Contents of replace.bat
We are able to see that replace is run and deleted, together with the batch file, as soon as it’s executed working. Whereas we didn’t observe the contents of the replace element, it’s possible that it collects recordsdata and levels them within the trash listing on the detachable drive, for the reason that path to that listing is handed as an argument to replace.
When GoldenAce finds that the listing trash already exists on a drive, as a substitute of copying recordsdata to the drive, it copies recordsdata within the trash listing to C:ProgramDataMicrosoftWindowsDeviceMetadataCache.
HTTP server
We noticed Python’s HTTP server, packaged with PyInstaller, being executed by way of C:Windowssystem32cmd.exe /Ok C:Windowsmsahci.cmd. Sadly, we didn’t observe the contents of the msahci.cmd file, so we don’t know the arguments handed for execution, such because the port for the server to pay attention on.
GoldenBlacklist
As a processing element, GoldenBlacklist downloads an encrypted archive from a neighborhood server, and processes e mail messages contained in it, to maintain solely these of curiosity. Then it generates a brand new archive for another element to exfiltrate.
The URL to retrieve the preliminary archive is hardcoded: https://<local_ip_address>/update46.zip. The downloaded file is saved as res.out, and AES decrypted with the hardcoded key k9ksbu9Q34HBKJuzHIuGTfHL9xCzMl53vguheOYA8SiNoh6Jqe62F7APtQ9pE, utilizing a respectable OpenSSL executable.
The decrypted archive, update46.tar.gz, is extracted in reminiscence, and solely these recordsdata that match sure standards are written to a subdirectory tmp, within the listing the place the malware is working. Standards:
The file doesn’t comprise any e mail on a blocklist of e mail addresses. That is executed to take away e mail messages that come from senders that normally should not fascinating. Whereas we will’t embrace the complete record right here, it’s price mentioning that most of the e mail addresses are associated to newsletters and press releases. It’s necessary to notice that the attackers should have been working for a while to construct an inventory like this.
The file incorporates the string Content material-Sort: utility. That is to maintain e mail messages which have attachments, corresponding to PDF recordsdata, Microsoft Workplace recordsdata, and archives, to call a couple of.
As soon as the recordsdata are chosen, GoldenBlacklist archives the tmp listing and encrypts it with openssl.exe, utilizing the identical encryption key because the one used to decrypt the preliminary archive. The ensuing file is archive.out. All intermediate recordsdata and folders are then deleted, in addition to openssl.exe, libssl-3-x64.dll, and libcrypto-3-x64.dll, all situated within the malware’s listing. This means that one other element that we didn’t observe copied these respectable binaries there within the first place.
GoldenPyBlacklist
GoldenPyBlacklist is a Python implementation of GoldenBlacklist. It was packaged with PyInstaller and the unique title of the script is duplxer_black_list_for_external_use.py. Some variations to the opposite element are:
the preliminary archive is written as ress.out,
the important thing for decryption is identical, apart from a unique first character,
the decrypted archive is extracted to the C:WindowsSystem32temp listing for processing,
one extra criterion for file choice is added to course of solely filenames that finish in .msg (these are recordsdata created with Microsoft Outlook),
recordsdata that don’t meet the factors are deleted,
the ultimate archive is created with the 7-Zip archiver, and
the ultimate encrypted file is called ArcSrvcUI.ter.
GoldenMailer
Labeled as an exfiltration element, GoldenMailer exfiltrates recordsdata by sending emails with attachments to attacker-controlled accounts. It was written in Python and packaged with PyInstaller, and the unique title of the script is send_to_hole.py. GoldenMailer connects to respectable servers – both smtp-mail.outlook.com or smtp.office365.com – to ship e mail messages, utilizing SMTP on port 587.
The configuration is learn from a file, C:ProgramDataMicrosoftWindowsCachescversions.ini, in the identical listing the place GoldenMailer is working. The configuration consists of the next 5 strains:
e mail handle to authenticate to the SMTP server, and to make use of as each sender and vacation spot handle,
password to authenticate to the SMTP server,
path to listing with archives to exfiltrate,
base filename (e.g., press.pdf) used for archives to exfiltrate; these archives use the next naming conference: <base_filename>.<three_digit_sequence_number>, and
variety of recordsdata to exfiltrate.
We seen that this configuration file was copied from one other PC within the native community. Provided that the configuration file signifies what number of archives can be found to be exfiltrated, we assume that these archives should even be copied over the community, separating the duties of assortment, distribution, and exfiltration. It’s possible that the configuration file is generated by the element in command of gathering recordsdata and creating archives for exfiltration, however we didn’t observe that element.
Determine 10 reveals an instance of an e mail message despatched by GoldenMailer. The topic has a typo: it reads Press realese. The physique may be very easy and reads: Each day Information about Israel-Hamas battle. These strings are hardcoded within the malware’s binary. Just one attachment is distributed per e mail; if there are numerous archives to exfiltrate, one e mail is distributed for every.
Determine 10. Instance of an e mail message used to exfiltrate recordsdata
The configuration recordsdata that we noticed contained the next e mail addresses:
mariaalpane@outlook[.]com
katemarien087@outlook[.]com
spanosmitsotakis@outlook[.]com
GoldenDrive
Versus GoldenMailer, this element exfiltrates recordsdata by importing them to Google Drive. Crucial credentials are present in two recordsdata, that are hardcoded within the malware: credentials.json, which incorporates fields corresponding to client_id and client_secret, and token.json, with fields corresponding to access_token and refresh_token. A reference to Google Drive’s API and a few code snippets within the Go programming language may be discovered right here.
Just like GoldenMailer, this element can add just one file at a time. GoldenDrive is executed with an argument that gives the complete path to the file to add.
Conclusion
On this blogpost, we revealed two new toolsets utilized by the GoldenJackal APT group to focus on air-gapped techniques of governmental organizations, together with these in Europe. Widespread functionalities embrace using USB drives to steal confidential paperwork.
Managing to deploy two separate toolsets for breaching air-gapped networks in solely 5 years reveals that GoldenJackal is a classy risk actor conscious of community segmentation utilized by its targets.
A complete record of indicators of compromise (IoCs) may be present in our GitHub repository.
For any inquiries about our analysis revealed on WeLiveSecurity, please contact us at threatintel@eset.com.
ESET Analysis provides personal APT intelligence experiences and knowledge feeds. For any inquiries about this service, go to the ESET Risk Intelligence web page.
IoCs
Information
SHA-1
Filename
Detection
Description
DA9562F5268FA61D19648DFF9C6A57FB8AB7B0D7
winaero.exe
Win32/Agent.AGKQ
GoldenDealer.
5F12FFD272AABC0D5D611D18812A196A6EA2FAA9
1102720677
Python/Agent.ANA
Python/HackTool.Agent.W
Python/Riskware.LdapDump.A
Python/Riskware.Impacket.C
GoldenHowl.
6DE7894F1971FDC1DF8C4E4C2EDCC4F4489353B6
OfficeAutoComplete.exe
WinGo/Agent.AAO
GoldenRobo.
7CB7C3E98CAB2226F48BA956D3BE79C52AB62140
prinntfy.dll
WinGo/DataStealer.A
GoldenUsbCopy.
8F722EB29221C6EAEA9A96971D7FB78DAB2AD923
zUpdater.exe
WinGo/Spy.Agent.AH
GoldenUsbGo.
24FBCEC23E8B4B40FEA188132B0E4A90C65E3FFB
fc.exe
WinGo/DataStealer.C
GoldenAce.
A87CEB21EF88350707F278063D7701BDE0F8B6B7
improve
MSIL/Agent.WPJ
JackalWorm – less complicated model.
9CBE8F7079DA75D738302D7DB7E97A92C4DE5B71
fp.exe
WinGo/Spy.Agent.CA
GoldenBlacklist.
9083431A738F031AC6E33F0E9133B3080F641D90
fp.exe
Python/TrojanDownloader.Agent.YO
GoldenPyBlacklist.
C830EFD843A233C170285B4844C5960BA8381979
cb.exe
Python/Agent.ALE
GoldenMailer.
F7192914E00DD0CE31DF0911C073F522967C6A97
GoogleUpdate.exe
WinGo/Agent.YH
GoldenDrive.
B2BAA5898505B32DF7FE0A7209FC0A8673726509
fp.exe
Python/Agent.ALF
Python HTTP server.
Community
IP
Area
Internet hosting supplier
First seen
Particulars
83.24.9[.]124
N/A
Orange Polska Spolka Akcyjna
2019‑08‑09
Major C&C server utilized by GoldenJackal in 2019.
196.29.32[.]210
N/A
UTANDE
2019‑08‑09
Secondary C&C server utilized by GoldenJackal in 2019.
N/A
help[.]uz
N/A
2019‑09‑25
Compromised web site used to obtain malware.
N/A
thehistore[.]com
N/A
2019‑09‑25
Compromised web site used as a C&C server.
N/A
xgraphic[.]ro
N/A
2019‑09‑25
Compromised web site used as a C&C server.
E-mail Addresses
mariaalpane@outlook[.]com
katemarien087@outlook[.]com
spanosmitsotakis@outlook[.]com
MITRE ATT&CK methods
This desk was constructed utilizing model 15 of the MITRE ATT&CK framework.
Tactic
ID
Title
Description
Useful resource Improvement
T1583.003
Purchase Infrastructure: Digital Non-public Server
GoldenJackal in all probability acquired a VPS server to make use of as a secondary C&C server for the GoldenDealer malware.
T1583.004
Purchase Infrastructure: Server
GoldenJackal possible acquired a server to make use of as a major C&C server for the GoldenDealer malware.
T1584.006
Compromise Infrastructure: Net Providers
GoldenJackal has used compromised WordPress websites for C&C infrastructure, utilized by the JackalControl and JackalSteal malware.
T1587.001
Develop Capabilities: Malware
GoldenJackal develops its personal customized malware.
T1585.003
Set up Accounts: Cloud Accounts
GoldenJackal has used Google Drive to retailer exfiltrated recordsdata and bonafide instruments.
T1588.002
Receive Capabilities: Device
GoldenJackal makes use of respectable instruments, corresponding to Plink and PsExec, for post-compromise operations.
Execution
T1059.001
Command and Scripting Interpreter: PowerShell
GoldenJackal executed PowerShell scripts to obtain the JackalControl malware from a compromised WordPress web site.
T1059.003
Command and Scripting Interpreter: Home windows Command Shell
GoldenAce makes use of cmd.exe to run a batch script to execute different malicious parts.
T1059.006
Command and Scripting Interpreter: Python
GoldenHowl incorporates numerous malicious modules which might be Python scripts.
T1106
Native API
GoldenDealer can copy and run an executable file with the CreateProcessW API.
T1569.002
System Providers: Service Execution
GoldenDealer can run as a service.
T1204.002
Person Execution: Malicious File
JackalWorm makes use of a folder icon to entice a possible sufferer to launch it.
Persistence
T1543.003
Create or Modify System Course of: Home windows Service
GoldenDealer creates the service NetDnsActivatorSharing to persist on a compromised system.
T1547.001
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
If GoldenDealer fails to create a service for persistence, an entry in a Run registry secret is created as a substitute.
T1053.005
Scheduled Activity/Job: Scheduled Activity
GoldenHowl creates the scheduled job MicrosoftWindowsMultimediaSystemSoundsService2 for persistence.
Protection Evasion
T1564.001
Disguise Artifacts: Hidden Information and Directories
GoldenDealer modifies the registry in order that hidden recordsdata and directories should not proven in Home windows Explorer. GoldenDealer, GoldenAce, and Jackal worm create hidden folders on USB drives.
T1070.004
Indicator Elimination: File Deletion
GoldenAce deletes payloads after they’re run. GoldenBlacklist and GoldenPyBlacklist delete intermediate recordsdata after the ultimate archives are generated.
T1036.005
Masquerading: Match Respectable Title or Location
GoldenUsbCopy makes use of a respectable Firefox listing C:Customers<username>AppDataRoamingMozillaFirefox to stage recordsdata.
T1036.008
Masquerading: Masquerade File Sort
JackalWorm makes use of a folder icon to disguise itself as a non-executable file.
T1112
Modify Registry
GoldenDealer modifies the registry in order that hidden recordsdata and directories should not proven in Home windows Explorer.
T1027.013
Obfuscated Information or Data: Encrypted/Encoded File
GoldenJackal makes use of numerous encryption algorithms in its toolset, corresponding to XOR, Fernet, and AES, to encrypt configuration recordsdata and recordsdata to be exfiltrated.
Credential Entry
T1552.001
Unsecured Credentials: Credentials In Information
GoldenUsbGo seems for recordsdata with filenames which might be normally related to credentials.
T1552.004
Unsecured Credentials: Non-public Keys
GoldenUsbGo seems for recordsdata which will comprise personal keys, corresponding to these with filenames that comprise id_rsa.
Discovery
T1087.001
Account Discovery: Native Account
GoldenDealer collects details about all consumer accounts on a compromised system.
T1083
File and Listing Discovery
GoldenHowl has a module to generate an inventory of recordsdata and directories on a compromised system. GoldenUsbCopy and GoldenUsbGo generate an inventory of recordsdata and directories on a USB drive.
T1046
Community Service Discovery
GoldenHowl can scan a distant system for open ports, and whether or not the goal is susceptible to EternalBlue malware.
T1120
Peripheral Gadget Discovery
GoldenDealer and GoldenUsbCopy monitor the insertion of detachable drives. GoldenUsbGo and GoldenAce test for numerous drive letters, to detect connected detachable drives.
T1057
Course of Discovery
GoldenDealer obtains details about working processes on a compromised system.
T1018
Distant System Discovery
GoldenHowl can scan an IP vary to find different techniques.
T1518
Software program Discovery
GoldenDealer obtains details about put in applications on a compromised system.
T1082
System Data Discovery
GoldenDealer obtains numerous details about the working system and consumer accounts on a compromised system.
T1016.001
System Community Configuration Discovery: Web Connection Discovery
GoldenDealer can decide whether or not a pc is related to the web.
T1135
Community Share Discovery
GoldenAce checks an inventory of drive letters that may embrace community shares.
Lateral Motion
T1210
Exploitation of Distant Providers
GoldenHowl can test for a Home windows SMB distant code execution vulnerability that may then be exploited for lateral motion.
T1091
Replication By way of Detachable Media
GoldenDealer copies executables to and from USB drives, to focus on air-gapped techniques. GoldenAce propagates malicious executables by way of detachable drives.
Assortment
T1560.002
Archive Collected Information: Archive by way of Library
GoldenRobo and GoldenUsbCopy archive recordsdata to be exfiltrated with the ZIP library.
T1119
Automated Assortment
GoldenUsbCopy and GoldenUsbGo routinely stage recordsdata for later exfiltration, when a brand new detachable drive is detected.
T1005
Information from Native System
Most instruments in GoldenJackal’s toolset accumulate data and recordsdata from the native system.
T1025
Information from Detachable Media
GoldenUsbCopy and GoldenUsbGo accumulate fascinating recordsdata from detachable media. GoldenAce can retrieve staged recordsdata from a particular listing on a detachable drive. GoldenDealer can retrieve data from compromised techniques from a particular listing on a detachable drive.
T1074.001
Information Staged: Native Information Staging
Most instruments in GoldenJackal’s toolset stage recordsdata domestically for different parts to course of or exfiltrate them.
T1114.001
E-mail Assortment: Native E-mail Assortment
GoldenBlacklist and GoldenPyBlacklist course of e mail recordsdata that have been collected by an unknown element in GoldenJackal’s toolset.
Command and Management
T1071.001
Utility Layer Protocol: Net Protocols
GoldenDealer and GoldenHowl use HTTPS for communication.
T1092
Communication By way of Detachable Media
GoldenDealer makes use of detachable media to cross executables to air-gapped techniques, and data from these techniques again to related techniques.
T1132.001
Information Encoding: Customary Encoding
Executable recordsdata despatched from the C&C server to GoldenDealer are base64 encoded.
T1572
Protocol Tunneling
GoldenHowl can ahead messages by way of an SSH tunnel.
T1090.001
Proxy: Inside Proxy
GoldenHowl can act as a proxy, forwarding packets.
Exfiltration
T1041
Exfiltration Over C2 Channel
GoldenHowl exfiltrates recordsdata by way of the identical channel used as its C&C.
T1052.001
Exfiltration Over Bodily Medium: Exfiltration over USB
GoldenJackal’s toolset supplies capabilities to repeat recordsdata from air-gapped techniques and transfer them to related techniques by way of USB drives, for exfiltration.
T1567.002
Exfiltration Over Net Service: Exfiltration to Cloud Storage
GoldenDrive exfiltrates recordsdata to an attacker-controlled Google Drive account.
T1048.002
Exfiltration Over Various Protocol: Exfiltration Over Uneven Encrypted Non-C2 Protocol
GoldenMailer exfiltrates recordsdata by way of SMTP, utilizing STARTTLS on port 587.