Mysterious Hacking Group Has 2 New Tools for Stealing Data from Air-Voiced Devices

The newly discovered toolkit is made up of many different building blocks, written in many languages ​​and capabilities. The overall goal appears to be greater flexibility and resilience in the event that a single module is targeted.

“Their goal is to find hard to get data from closed systems and stay under the radar as much as possible,” said Costin Raiu, a researcher who worked at Kaspersky at the time researching GoldenJackal, wrote in an interview. “Multiple search methods represent a flexible toolkit that can handle all kinds of situations. These multiple tools show that it’s a very customizable framework where it uses exactly what it needs, unlike malware that can do anything.”

Another new insight provided by the ESET study is GoldenJackal’s interest in targets located in Europe. Kaspersky researchers found a group targeting countries in the Middle East.

Based on the information available to Kaspersky, the company’s researchers did not know that GoldenJackal was related to any country. ESET was also unable to fully identify the country, but received hints that the threat group may have ties to Turla, a powerful hacking group working for Russia’s FSB intelligence agency. The tie comes in the form of a control and control protocol in GoldenHowl called transport_http. A similar expression is found in the malware known as Turla.

Raiu said the widely used method is also similar to Red October, an espionage platform discovered in 2013 that targeted hundreds of diplomatic, government and scientific organizations in at least 39 countries, including the Russian Federation, Iran and the United States.

While much of Tuesday’s report contains technical analysis that may be too advanced for most people to understand, it does provide important new information that improves insights into malware designed to bypass air gaps and the tactics, strategies, and practices of those who use it. This report will also be useful to people responsible for protecting the types of organizations that are often targeted by national groups.

“I would say this is very interesting for security people working in embassies and government CERTs,” Raiu said. “They must check whether these TTPs exist and keep a close eye on them. If you were a victim of Turla or Red October I would look into this.”

This story appeared first Ars Technica.