Executive Summary
AT&T Alien Labs has discovered a sophisticated malware stealer strain crafted in the Go programming language, posing a severe threat to Windows and macOS. This malware, known as JaskaGO, has low detection rates by traditional antivirus solutions, making it a stealthy and formidable adversary.
Key Takeaways
- The malware is equipped with an extensive array of commands from its Command and Control (C&C) server.
- JaskaGO can persist in different methods in an infected system.
- Users face a heightened risk of data compromise as the malware excels at exfiltrating valuable information, ranging from browser credentials to cryptocurrency wallet details and other sensitive user files.
Background
JaskaGO is part of a growing trend in malware development leveraging the Go programming language. It poses a threat to both Windows and macOS systems. The malware is capable of deploying under the guise of legitimate software on pirated application web pages. Its first sample was observed in July 2023, initially targeting Mac users.
Analysis
Upon initial execution, the malware presents a deceptive message box to mislead the user into believing that the malicious code failed to run. It also conducts thorough checks to determine if it is operating within a virtual machine (VM) and handles commands from its Command and Control (C&C) server.
Stealer
JaskaGO is equipped with extensive data exfiltration capabilities, including browser and cryptocurrency wallet stealer functionalities. It can also collect and send a list of specific files and folders to the threat actor.
Persistence Mechanisms
In the Windows version, the malware establishes persistence through service creation and uncommon but effective Windows Terminal “Profiles.” On macOS, it employs a multi-step process to establish persistence, including execution as root and disabling Gatekeeper.
Conclusion
JaskaGO challenges the widely held notion of macOS invulnerability and highlights the shared vulnerability of both Windows and macOS systems. Its sophisticated anti-VM tactics and persistence mechanisms make it a formidable challenge for detection, while its stealer capabilities make it a dangerous threat.
Associated Indicators (IOCs)
A list of technical indicators associated with the reported intelligence, as well as their related MITRE ATT&CK Matrix techniques, is available in the full report. Please refer to the full report for detailed technical indicators and MITRE ATT&CK Matrix mappings.