Heimdal
article featured image

Contents:

Security researchers discovered a new JaskaGO malware stealer that can infect both Windows and macOS. JaskaGO uses various methods to persist in the infected system.

Researchers observed various malware versions impersonating installers for legitimate software like CapCut video editor, AnyConnect, and some security tools.

The malware is crafted in Golang (Go) and is part of a larger trend that uses this simple and easy-to-use programming language.

Another advantage of Go that hackers rely on is its cross-platform capabilities. So, it is just as dangerous for macOS as it is for Windows.

What does JaskaGO Malware do

Once it ensures it will go undetected by traditional antiviruses, the JaskaGo malware starts collecting information from the infected system. Then it beacons to its command-and-control center for further instructions.

Some of the commands JaskaGo can receive are:

  • Harvest data and exfiltrate it to the command-and-control server
  • Execute files on disk or in memory
  • Run shell commands
  • Retrieve the running process list
  • Steal cryptocurrency
  • Execute random tasks
  • Deploy and run additional malware
  • Initiate an exit process and delete itself

As a stealer malware, JaskaGo can:

  • Steal browser credentials
  • Access browsing history
  • Access Cookies
  • Store master key to decrypt all passwords stored in logins.json.
  • See profile files (profile.ini, ^Profile\d+$)
  • Get login information from the “Login Data” folder
  • Search for browsers crypto wallets extension

Cross-platform persistence methods

JaskaGo malware can ensure persistence both on Windows and macOS operating systems.

Two methods to persist on Windows

  • Creates a service and initiates its execution
  • Creates a Windows Terminal profile by generating the file “C:\users$env:UserName\AppData\Local\Packages\Microsoft. WindowsTerminal_*\LocalState\settings.json.”

It configures the file to execute automatically every time you restart Windows. For that, it launches a PowerShell process that executes the malware.

The 4 steps process to persist on macOS

Step 1 – Execute as Root

Step 2 – Disable Gatekeeper. To achieve this, the JaskaGo malware uses the “spctl –master-disable” command.

Step 3 – JaskaGO duplicates and renames itself under the format “com.%s.appbackgroundservice,” to avoid detection

Step 4 – Creates LaunchDaemon (if root)/ LaunchAgent Creation (if not root) so that the malware automatically launches during the system startup.

How to prevent or respond to a JaskaGo malware infection

Researchers warn that the JaskaGo malware can go undetected by traditional antiviruses. So, I recommend using an XDR solution to keep your system safe from this sort of sophisticated malware.

prevent JaskaGO malware

To keep safe from JaskaGo malware deployment and data exfiltration:

Use a DNS security tool to detect and block on spot any malicious communication attempt. By using a DNS filtering solution, the attacker will fail to install malware on your endpoints. Also, if they somehow succeed infecting your devices, stopping communication to a malicious domain will make data exfiltration to a C&C server impossible.

Educate employees to identify phishing emails and avoid clicking on malicious links.

Use an email security tool to prevent malicious emails from getting into your team`s inboxes.

In case of a JaskaGo malware infection, an XDR solution that integrates a Next-Gen antivirus is the way to go. Choose one of the best XDR softwares to detect and contain an incident before it damages your system.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.

Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE