GoldenJackal Silently Targets Middle East & South Asia Government Entities - 1

GoldenJackal Silently Targets Middle East & South Asia Government Entities

  • Written by Shipra Sanganeria Cybersecurity & Tech Writer

A newly discovered Advanced Persistent Threat (APT) group named ‘GoldenJackal’, known to be active since 2019, has been stealthily targeting government and diplomatic organizations in the Middle East & South Asia, reports Kaspersky.

The Russian cybersecurity firm has been monitoring the group’s activity since mid-2020 and has noticed the group targeting a few entities in countries like Afghanistan, Azerbaijan, Iran, Iraq, Pakistan, and Turkey. This modus operandi has helped the threat actor remain relatively obscure.

The group’s primary focus being collecting government secrets & information, GoldenJackal employs a specific set of malware tools to control the victim’s devices, steal credentials, user’s web activity information, capture screenshots, access other systems via removable devices and data theft.

Kaspersky notes that the threat actor has been observed using fake Skype installers and malicious Word documents as its attacking tool. The fake Skype installer contains two resources – the JackalControl Trojan and a legitimate Skype for Business standalone installer. While spreading malware, the malicious Word document makes use of the Microsoft Office Follina vulnerability (CVE-2022-30190).

Based on a specific .Net malware, the attack vectors primarily consist of JackalControl. The primary trojan, JackControl allows the APT to remotely control the victim’s devices with a supported set of predefined commands. The malware can execute arbitrary programs as well as upload and download files.

Over the years, Kaspersky has discovered different variants of this malware, some are configured to maintain persistence while others run without infecting the system. Some of the other variants of this malware deployed by GoldenJackal include JackSteal, JackWorm, JackPerInfo and JackalScreenWatcher.

Based on Kaspersky’s observations, GoldenJackal does not have any link with any known threat actor. The closest actor that the cybersecurity firm associates it with is ‘Turla’ because both have been known to use tools based on .Net and usage of infected WordPress websites as C2. However, Kaspersky’s Giampaolo also states that, ‘’ Despite these similarities, we assessed with low confidence that there is a connection between GoldenJackal and Turla, since neither of these is unique to either threat actor’’.

Rheinmetall AG, Leading German Weapons Manufacturer, Confirms Black Basta Cyberattack - 2

Rheinmetall AG, Leading German Weapons Manufacturer, Confirms Black Basta Cyberattack

  • Written by Shipra Sanganeria Cybersecurity & Tech Writer

Rheinmetall AG, automotive and arms manufacturer based in Germany, confirmed that Black Basta ransomware group was behind the April 2023 cyberattack. The attack only affected the civilian business related to its automotive division.

With over 27,000 employees and a reported revenue of Euro 6.4 billion in 2022, Rheinmetall AG is one of the leading players in the automotive and arms manufacturing business and operates at 132 locations and production sites, worldwide.

Rheinmetall’s April cyberattack was first reported by Spiegel magazine in which they were unable to confirm the origins of the attack. The news came to highlight again, when last week the Black Basta gang posted screenshots of the alleged stolen data on its dark web blog.

The company is said to be on the target list of Killmilk, former leader and founder of Russia-based private military and hacking company, Killnet. Recently, the group has been targeting pro-Ukraine companies and countries across the US and Europe. Rheinmetall is one of the key suppliers of weapons to Ukraine and has been subjected to attacks by Killmilk and his supporters.

According to Rheinmetall, the arms business comprising weapons and vehicle manufacturing remained unaffected as the company maintains separate IT infrastructure for both its civilian and military divisions.

The company also confirmed that it is already investigating to determine the extent of damages and has also informed the relevant authorities, including filing a criminal complaint with the public prosecutor’s office of Cologne.

Earlier this year, the group tried to attack the company’s network, including the IT infrastructure in Germany and Australia, by deploying swarm-based attacks. However, the company at that time confirmed that no real damage on the day-to-day operations of the IT infrastructure was visible.

In the April 2023 attack, a double extortion method was used by the Black Basta ransomware gang, in which the threat actors publishe data in intervals to force the victim to pay ransom within a specified time.

According to security researchers, Black Basta which first appeared in April 2022, is associated with the Russia-linked cybercrime group FIN7. It has been associated with the recent high-profile cyberattacks in the US and Europe, including the American Dental Association, German-based Deutsche Windtechnik, Swiss-based ABB , and the British outsourcing company Capita.