On December 18th, 2023, Alien Labs – the security research team at AT&T – disclosed their findings on a novel information stealer malware written in Go programming language, dubbed JaskaGO.
According to Ofer Caspi, JaskaGO excels at covertly extracting extremely sensitive user data from both Windows and Mac devices. This includes login credentials, browsing history, valuable files, and even cryptocurrency wallet details – all of which can be quietly exfiltrated to remote attacker-controlled servers.
As a multi-platform threat, JaskaGO serves as an urgent reminder that users of Windows and macOS alike need to remain vigilant to protect themselves from malware attacks. We published this post to help individuals and security teams understand this threat and take necessary precautions.
The AT&T Alien Labs report revealed several notable capabilities and behaviors of JaskaGO:
Versatile command-and-control: JaskaGO continuously connects to remote servers, awaiting a wide array of potential attack commands. These allow advanced control, stealth, persistence, and data theft.
Multiple persistence tactics: The malware utilizes various clever tricks to embed itself in an infected system – ensuring it launches automatically even after reboots. This includes masquerading as legitimate services, scripts, and startup programs.
Broad data exfiltration: JaskaGO steals highly sensitive information from browsers and files – covertly transmitting stolen data to attackers. This ranges from login credentials, browsing history, and documents to cryptocurrency wallet contents.
By combining these potent features with cross-platform samples and stealthy execution, JaskaGO emerges as a highly formidable threat against both Windows and Mac users.
JaskaGO builds upon an accelerating trend of malware development using the Go programming language (also called Golang). With Go recognized for its simplicity, efficiency and cross-platform abilities, it has become an increasingly popular option for threat actors to build sophisticated malware.
The initial JaskaGO sample was spotted in July 2023, targeting macOS systems at first. But it quickly evolved with dozens of new Windows-compatible versions emerging thereafter. Leveraging common tactics like disguising itself as a legitimate app, JaskaGO manages to fly under the radar–evading antivirus detection despite inflicting significant damage.
Its versatile use across platforms combined with advanced evasion techniques allow JaskaGO to establish a persistent foothold to then covertly steal user data. The malware is a prime example of how multi-platform threats continue to grow in complexity.
As per the researcher, JaskaGO employs deceptive tactics, showing fake error messages claiming file issues upon execution. After rigorous anti-VM checks, it proceeds to command and control servers to receive instructions.
Fake error message shared by Alien Labs (Source: Alien Labs)
Potent stealing capabilities allow the extraction of extensive browser data including credentials, cookies, histories, and cryptocurrency wallet information. It can also receive lists of files or folders to exfiltrate from victims’ systems.
The malware uses various methods including Windows services, PowerShell scripts, and macOS launch agents/daemons to maintain persistence – embedding itself at system startup. Let’s look at what is there in the technical details in detail.
JaskaGO employs several checks to detect whether it is running in a virtual machine (VM) environment. This includes:
Examining system information like processor count, uptime, available memory
Checking for VM-associated MAC addresses from VMWare, VirtualBox etc.
Inspecting Windows registry and file system for VM traces
If a VM is detected, JaskaGO executes random benign actions like pinging Google to avoid automated analysis.
Command and Control Communication
WireShart snap of communication with the C&C shared by Alien Labs (Source: Alien Labs)
Once JaskaGO confirms execution in a real system, it establishes communication with remote command and control (C2) servers. It then continually polls these servers to receive attack instructions, including:
Deploying persistence mechanisms
Executing malicious payloads
Stealing and exfiltrating user data
Displaying fake error messages
Downloading additional malware components
Equipped for extensive data exfiltration, JaskaGO can steal:
Browser data – logins, history, cookies, cryptocurrency wallets
Sensitive files and documents
Any custom file/folder listing from C2 servers
It transmits stolen data covertly zipped and encrypted to attacker servers. Configurable for more browsers, JaskaGO also circumvents password databases, security extensions and other protection measures while extracting user information.
A successful JaskaGO infection enables significant damage, including:
Credential theft – Loss of account logins and passwords, enabling data or identity theft.
Financial fraud – Draining of cryptocurrency wallets, online banking theft through stolen sessions.
Sensitive data exfiltration – Trade secrets, customer information, personal photos or conversations can be quietly stolen.
System instability – Performance, uptime and reliability issues as malware persists in the background.
The foothold for attacks – JaskaGO can download additional malware based on attacker needs to further compromise the device.
Covert surveillance – Keyloggers, screen recording and other spyware can be silently activated via JaskaGO.
Reputational damage – An infected public-facing server can be used to attack others, inflicting immense brand damage.
As JaskaGO operates covertly once embedded into a system, users may be completely unaware as sensitive data lands in attacker's hands or further malicious activity occurs. This underscores the criticality of preventing JaskaGO attacks.
Defending against sophisticated threats like JaskaGO requires proactive precautions on both Windows and Mac machines.
Windows:
For Windows users, ensure your antimalware software is up-to-date and perform regular scans to catch the latest stealthy malware strains. Avoid downloading apps from shady websites, stick to trusted sources. Use firewalls to filter out malicious incoming network traffic. Routinely check background processes and services for any suspicious unknown programs that could indicate persistence mechanisms.
Mac:
On Macs, refrain from arbitrarily disabling inbuilt security such as Gatekeeper which monitors app legitimacy. Vet browser extensions extremely carefully before installation to stop malware piggybacking as plugins. Closely inspect auto-starting login items and launch agents, removing anything dubious since these are used to establish persistence. Create regular backups of your important files offline to limit data loss in case of infection. Never enter admin passwords unless you double-confirm an app’s authenticity.
General Countermeasures:
Additionally, across either desktop platforms, general cyber hygiene remains important – this includes using unique passwords per account, enabling multi-factor authentication where feasible, avoiding pirated software cracks which are common infection vectors and keeping your operating system, apps, and security tools fully updated through patches.
JaskaGO’s versatility, stealthiness, and data theft capabilities showcase how multi-platform malware continues to raise the stakes against individual and enterprise security environments alike.
Gone are the days when Apple users could rest easy believing in inherent Mac security. Windows and Mac systems are both prime targets now for sophisticated cybercrime tools like JaskaGO that stealthily steal credentials, personal data, and financial assets. Users can no longer afford to remain complacent by relying on outdated assumptions of safety.
Whether individual home users or security teams in large organizations, everyone needs to doubly ensure robust security hygiene. Updating systems, monitoring for anomalies and encouraging cautious user habits help build protection against persistent threats. By better understanding offense tactics revealed by researchers, we raise our chances of defense through improving prevention and response.
We hope this post helps individuals and security teams understand this threat and take necessary precautions. Please share this post and help secure the digital world. Visit our website thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.
IOCs
TYPE | INDICATOR | DESCRIPTION |
SHA256 | 7bc872896748f346fdb2426c774477c4f6dcedc9789a44bd9d3c889f778d5c4b | Windows malware hash |
SHA256 | f38a29d96eee9655b537fee8663d78b0c410521e1b88885650a695aad89dbe3f | macOS malware hash |
SHA256 | 6efa29a0f9d112cfbb982f7d9c0ddfe395b0b0edb885c2d5409b33ad60ce1435 | Windows malware hash |
SHA256 | f2809656e675e9025f4845016f539b88c6887fa247113ff60642bd802e8a15d2 | Windows malware hash |
SHA256 | 85bffa4587801b863de62b8ab4b048714c5303a1129d621ce97750d2a9a989f9 | Windows malware hash |
SHA256 | 37f07cc207160109b94693f6e095780bea23e163f788882cc0263cbddac37320 | Windows malware hash |
SHA256 | e347d1833f82dc88e28b1baaa2657fe7ecbfe41b265c769cce25f1c0e181d7e0 | Windows malware hash |
SHA256 | c714f3985668865594784dba3aeda1d961acc4ea7f59a178851e609966ca5fa6 | Windows malware hash |
SHA256 | 9b23091e5e0bd973822da1ce9bf1f081987daa3ad8d2924ddc87eee6d1b4570d | Windows malware hash |
SHA256 | 1c0e66e2ea354c745aebda07c116f869c6f17d205940bf4f19e0fdf78d5dec26 | Windows malware hash |
SHA256 | e69017e410aa185b34e713b658a5aa64bff9992ec1dbd274327a5d4173f6e559 | Windows malware hash |
SHA256 | 6cdda60ffbc0e767596eb27dc4597ad31b5f5b4ade066f727012de9e510fc186 | macOS malware hash |
SHA256 | 44d2d0e47071b96a2bd160aeed12239d4114b7ec6c15fd451501c008d53783cf | Windows malware hash |
SHA256 | 8ad4f7e14b36ffa6eb7ab4834268a7c4651b1b44c2fc5b940246a7382897c98e | Windows malware hash |
SHA256 | 888623644d722f35e4dcc6df83693eab38c1af88ae03e68fd30a96d4f8cbcc01 | Windows malware hash |
SHA256 | 3f139c3fcad8bd15a714a17d22895389b92852118687f62d7b4c9e57763a8867 | Windows malware hash |
SHA256 | 207b5ee9d8cbff6db8282bc89c63f85e0ccc164a6229c882ccdf6143ccefdcbc | macOS malware hash |
You may also like these articles:
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.