• Home
  • |
  • Blog
  • |
  • Protect Your Windows and Mac from JaskaGO- Go-Based Stealer Malware
Protect Your Windows and Mac from JaskaGO- Go-Based Stealer Malware

On December 18th, 2023, Alien Labs – the security research team at AT&T – disclosed their findings on a novel information stealer malware written in Go programming language, dubbed JaskaGO.

According to Ofer Caspi, JaskaGO excels at covertly extracting extremely sensitive user data from both Windows and Mac devices. This includes login credentials, browsing history, valuable files and even cryptocurrency wallet details – all of which can be quietly exfiltrated to remote attacker-controlled servers.

As a multi-platform threat, JaskaGO serves as an urgent reminder that users of Windows and macOS alike need to remain vigilant to protect themselves from malware attacks. We published this post to help individuals and security teams understand this threat and take necessary precautions.

Things AT&T Alien Labs Revealed About JaskaGO:

The AT&T Alien Labs report revealed several notable capabilities and behaviors of JaskaGO:

  • Versatile command-and-control: JaskaGO continuously connects to remote servers, awaiting a wide array of potential attack commands. These allow advanced control, stealth, persistence and data theft.
  • Multiple persistence tactics: The malware utilizes various clever tricks to embed itself in an infected system – ensuring it launches automatically even after reboots. This includes masquerading as legitimate services, scripts and startup programs.
  • Broad data exfiltration: JaskaGO steals highly sensitive information from browsers and files – covertly transmitting stolen data to attackers. This ranges from login credentials, browsing history, documents to cryptocurrency wallet contents.

By combining these potent features with cross-platform samples and stealthy execution, JaskaGO emerges as a highly formidable threat against both Windows and Mac users.

A Short Note About JaskaGO

JaskaGO builds upon an accelerating trend of malware development using the Go programming language (also called Golang). With Go recognized for its simplicity, efficiency and cross-platform abilities, it has become an increasingly popular option for threat actors to build sophisticated malware.

The initial JaskaGO sample was spotted in July 2023, targeting macOS systems at first. But it quickly evolved with dozens of new Windows-compatible versions emerging thereafter. Leveraging common tactics like disguising itself as legitimate apps, JaskaGO manages to fly under the radar – evading antivirus detection despite inflicting significant damage.

Its versatile use across platforms combined with advanced evasion techniques allow JaskaGO to establish a persistent foothold to then covertly steal user data. The malware is a prime example of how multi-platform threats continue to grow in complexity.

Technical Details

As per the researcher, JaskaGO employs deceptive tactics, showing fake error messages claiming file issues upon execution. After rigorous anti-VM checks, it proceeds to command and control servers to receive instructions.

Fake error message shared by Alien Labs
Fake error message shared by Alien Labs (Source: Alien Labs)

Potent stealing capabilities allow extraction of extensive browser data including credentials, cookies, histories and cryptocurrency wallet information. It can also receive lists of files or folders to exfiltrate from victims’ systems.

The malware uses various methods including Windows services, PowerShell scripts and macOS launch agents/daemons to maintain persistence – embedding itself at system startup. Let’s look what is there in the technical details in detail. 

See Also  How to Patch the 5 New Vulnerabilities in VMware Workspace ONE Assist

Anti-VM Capabilities

JaskaGO employs several checks to detect whether it is running in a virtual machine (VM) environment. This includes:

  • Examining system information like processor count, uptime, available memory
  • Checking for VM-associated MAC addresses from VMWare, VirtualBox etc.
  • Inspecting Windows registry and file system for VM traces

If an VM is detected, JaskaGO executes random benign actions like pinging Google to avoid automated analysis.

Command and Control Communication

WireShart snap of communication with the C&C
WireShart snap of communication with the C&C shared by Alien Labs (Source: Alien Labs)

Once JaskaGO confirms execution in a real system, it establishes communication with remote command and control (C2) servers. It then continually polls these servers to receive attack instructions, including:

  • Deploying persistence mechanisms
  • Executing malicious payloads
  • Stealing and exfiltrating user data
  • Displaying fake error messages
  • Downloading additional malware components

Potent Data Stealing Capabilities

Equipped for extensive data exfiltration, JaskaGO can steal:

  • Browser data – logins, history, cookies, cryptocurrency wallets
  • Sensitive files and documents
  • Any custom file/folder listing from C2 servers

It transmits stolen data covertly zipped and encrypted to attacker servers. Configurable for more browsers, JaskaGO also circumvents password databases, security extensions and other protection measures while extraction user information.

Implications of JaskaGO Infection

A successful JaskaGO infection enables significant damage, including:

  • Credential theft – Loss of account logins and passwords, enabling data or identity theft.
  • Financial fraud – Draining of cryptocurrency wallets, online banking theft through stolen sessions.
  • Sensitive data exfiltration – Trade secrets, customer information, personal photos or conversations can be quietly stolen.
  • System instability – Performance, uptime and reliability issues as malware persists in background.
  • Foothold for attacks – JaskaGO can download additional malware based on attacker needs to further compromise the device.
  • Covert surveillance – Keyloggers, screen recording and other spyware can be silently activated via JaskaGO.
  • Reputational damage – An infected public-facing server can be used to attack others, inflicting immense brand damage.

As JaskaGO operates covertly once embedded into a system, users may be completely unaware as sensitive data lands in attacker hands or further malicious activity occurs. This underscores the criticality of preventing JaskaGO attacks.

How to Protect Your Windows and Mac from JaskaGO?

Defending against sophisticated threats like JaskaGO requires proactive precautions on both Windows and Mac machines.

Windows:

For Windows users, ensure your antimalware software is up-to-date and performing regular scans to catch the latest stealthy malware strains. Avoid downloading apps from shady websites, stick to trusted sources. Use firewalls to filter out malicious incoming network traffic. Routinely check background processes and services for any suspicious unknown programs that could indicate persistence mechanisms.

Mac:

On Macs, refrain from arbitrarily disabling inbuilt security such as Gatekeeper which monitors app legitimacy. Vet browser extensions extremely carefully before installation to stop malware piggybacking as plugins. Closely inspect auto-starting login items and launch agents, removing anything dubious since these are used to establish persistence. Create regular backups of your important files offline to limit data loss in case of infection. Never enter admin passwords unless you double confirm an app’s authenticity.

General Countermeasures:

Additionally, across either desktop platforms, general cyber hygiene remains important – this includes using unique passwords per account, enabling multi-factor authentication where feasible, avoiding pirated software cracks which are common infection vectors and keeping your operating system, apps and security tools fully updated through patches.

See Also  7 Best E-books to Learn Computer Programming: Unleash Your Coding Potential

Bottom Line

JaskaGO’s versatility, stealthiness and data theft capabilities showcase how multi-platform malware continues to raise the stakes against individual and enterprise security environments alike.

Gone are the days when Apple users could rest easy believing in inherent Mac security. Windows and Mac systems are both prime targets now for sophisticated cybercrime tools like JaskaGO that stealthily steal credentials, personal data and financial assets. Users can no longer afford to remain complacent by relying on outdated assumptions of safety.

Whether individual home users or security teams in large organizations, everyone needs to doubly ensure robust security hygiene. Updating systems, monitoring for anomalies and encouraging cautious user habits helps builds protection against persistent threats. By better understanding offense tactics revealed by researchers, we raise our chances of defense through improving prevention and response.

We hope this post helps you know about how to Fix CVE-2023-7024- high severity heap buffer overflow in the WebRTC component of Chrome browser. Please share this post and help secure the digital world. Visit our website thesecmaster.com, and our social media page on FacebookLinkedInTwitterTelegramTumblrMedium, and Instagram and subscribe to receive updates like this.

IOCs

TYPEINDICATORDESCRIPTION
SHA2567bc872896748f346fdb2426c774477c4f6dcedc9789a44bd9d3c889f778d5c4bWindows malware hash
SHA256 f38a29d96eee9655b537fee8663d78b0c410521e1b88885650a695aad89dbe3fmacOS malware hash 
SHA256 6efa29a0f9d112cfbb982f7d9c0ddfe395b0b0edb885c2d5409b33ad60ce1435Windows malware hash 
SHA256 f2809656e675e9025f4845016f539b88c6887fa247113ff60642bd802e8a15d2Windows malware hash 
SHA256 85bffa4587801b863de62b8ab4b048714c5303a1129d621ce97750d2a9a989f9Windows malware hash 
SHA256 37f07cc207160109b94693f6e095780bea23e163f788882cc0263cbddac37320Windows malware hash 
SHA256 e347d1833f82dc88e28b1baaa2657fe7ecbfe41b265c769cce25f1c0e181d7e0Windows malware hash 
SHA256 c714f3985668865594784dba3aeda1d961acc4ea7f59a178851e609966ca5fa6Windows malware hash 
SHA256 9b23091e5e0bd973822da1ce9bf1f081987daa3ad8d2924ddc87eee6d1b4570dWindows malware hash 
SHA256 1c0e66e2ea354c745aebda07c116f869c6f17d205940bf4f19e0fdf78d5dec26Windows malware hash 
SHA256 e69017e410aa185b34e713b658a5aa64bff9992ec1dbd274327a5d4173f6e559Windows malware hash 
SHA256 6cdda60ffbc0e767596eb27dc4597ad31b5f5b4ade066f727012de9e510fc186macOS malware hash 
SHA256 44d2d0e47071b96a2bd160aeed12239d4114b7ec6c15fd451501c008d53783cfWindows malware hash 
SHA256 8ad4f7e14b36ffa6eb7ab4834268a7c4651b1b44c2fc5b940246a7382897c98eWindows malware hash 
SHA256 888623644d722f35e4dcc6df83693eab38c1af88ae03e68fd30a96d4f8cbcc01Windows malware hash 
SHA256 3f139c3fcad8bd15a714a17d22895389b92852118687f62d7b4c9e57763a8867Windows malware hash 
SHA256 207b5ee9d8cbff6db8282bc89c63f85e0ccc164a6229c882ccdf6143ccefdcbcmacOS malware hash 

Read More:

About the author

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience spanning IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

To know more about him, you can visit his profile on LinkedIn.

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.