Source: heimdalsecurity.com – Author: Livia Gyongyoși
Security researchers discovered a new JaskaGO malware stealer that can infect both Windows and macOS. JaskaGO uses various methods to persist in the infected system.
Researchers observed various malware versions impersonating installers for legitimate software like CapCut video editor, AnyConnect, and some security tools.
The malware is crafted in Golang (Go) and is part of a larger trend that uses this simple and easy-to-use programming language.
Another advantage of Go that hackers rely on is its cross-platform capabilities. So, it is just as dangerous for macOS as it is for Windows.
What does JaskaGO Malware do
Once it ensures it will go undetected by traditional antiviruses, the JaskaGo malware starts collecting information from the infected system. Then it beacons to its command-and-control center for further instructions.
Some of the commands JaskaGo can receive are:
- Harvest data and exfiltrate it to the command-and-control server
- Execute files on disk or in memory
- Run shell commands
- Retrieve the running process list
- Steal cryptocurrency
- Execute random tasks
- Deploy and run additional malware
- Initiate an exit process and delete itself
As a stealer malware, JaskaGo can:
- Steal browser credentials
- Access browsing history
- Access Cookies
- Store master key to decrypt all passwords stored in logins.json.
- See profile files (profile.ini, ^Profiled+$)
- Get login information from the “Login Data” folder
- Search for browsers crypto wallets extension
Cross-platform persistence methods
JaskaGo malware can ensure persistence both on Windows and macOS operating systems.
Two methods to persist on Windows
- Creates a service and initiates its execution
- Creates a Windows Terminal profile by generating the file “C:users$env:UserNameAppDataLocalPackagesMicrosoft. WindowsTerminal_*LocalStatesettings.json.”
It configures the file to execute automatically every time you restart Windows. For that, it launches a PowerShell process that executes the malware.
The 4 steps process to persist on macOS
Step 1 – Execute as Root
Step 2 – Disable Gatekeeper. To achieve this, the JaskaGo malware uses the “spctl –master-disable” command.
Step 3 – JaskaGO duplicates and renames itself under the format “com.%s.appbackgroundservice,” to avoid detection
Step 4 – Creates LaunchDaemon (if root)/ LaunchAgent Creation (if not root) so that the malware automatically launches during the system startup.
How to prevent or respond to a JaskaGo malware infection
Researchers warn that the JaskaGo malware can go undetected by traditional antiviruses. So, I recommend using an XDR solution to keep your system safe from this sort of sophisticated malware.
To keep safe from JaskaGo malware deployment and data exfiltration:
Use a DNS security tool to detect and block on spot any malicious communication attempt. By using a DNS filtering solution, the attacker will fail to install malware on your endpoints. Also, if they somehow succeed infecting your devices, stopping communication to a malicious domain will make data exfiltration to a C&C server impossible.
Educate employees to identify phishing emails and avoid clicking on malicious links.
Use an email security tool to prevent malicious emails from getting into your team`s inboxes.
In case of a JaskaGo malware infection, an XDR solution that integrates a Next-Gen antivirus is the way to go. Choose one of the best XDR softwares to detect and contain an incident before it damages your system.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.
If you liked this post, you will enjoy our newsletter.
Get cybersecurity updates you’ll actually want to read directly in your inbox.
Original Post URL: https://heimdalsecurity.com/blog/jaskago-malware/
Category & Tags: Cybersecurity News – Cybersecurity News
Views: 0