Researchers from AT&T Alien Labs have recently discovered a new cross-platform information stealer malware called JaskaGO [7]. This highly sophisticated malware targets both Windows and Apple macOS systems and disguises itself as installers for legitimate software [3].
Description
JaskaGO is designed to avoid detection by checking if it is running in a virtual machine environment and performing harmless tasks. Once installed, it can steal sensitive data [1], execute shell commands [2] [3] [5] [6] [7], and establish a connection to its command and control server [3] [5] [6]. The distribution method of JaskaGO is currently unknown [6], but it has been found to spread through installers for pirated legitimate software [7]. The macOS variant of the malware was first observed in July 2023 and has a low detection rate [7]. Upon execution [7], it displays a fake error message to mislead users [7].
JaskaGO collects information from infected systems and connects to a command and control server for instructions [7]. It supports various commands [7], including creating persistence [7], stealing information [2] [7], executing shell commands [2] [3] [5] [6] [7], displaying alerts [7], retrieving process lists [7], writing to the clipboard [7], downloading and executing additional payloads [7], and more. On macOS [1] [2] [4] [5] [6] [7], JaskaGO can establish persistence within the system by running with root permissions [5] [6], disabling Gatekeeper protections [3] [5] [6] [7], and creating a custom launch daemon [5] [6]. It also employs anti-VM tactics to evade automatic analysis [7].
The malware poses a significant threat by extracting sensitive information from victims [7]. It can exfiltrate data from Chrome and Firefox browsers [7], including credentials [7], history [4] [7], cookies [7], and password encryption keys [7]. Additionally, it targets browser crypto wallet extensions and can exfiltrate files and folders [7].
JaskaGO is part of a growing trend in malware development using the Go programming language [1] [5] [6], known for its simplicity [1] [5] [6], efficiency [1] [5] [6], and cross-platform capabilities [1] [5] [6]. The exact delivery mechanism and the number of infected devices are currently unknown [1]. Its discovery highlights the need for robust security measures to protect against evolving threats like JaskaGO. Traditional antiviruses may not detect JaskaGO [4], so it is recommended to use an XDR solution for protection [4]. To prevent or respond to an infection [4], it is advised to use a DNS security tool [4], educate employees about phishing emails [4], use an email security tool [4], and integrate a Next-Gen antivirus in an XDR solution [4].
Conclusion
JaskaGO is a sophisticated information stealer malware written in Go programming language that targets Windows and macOS systems [2]. It is capable of extracting valuable information [2], including browser credentials and sensitive files [2], posing a significant risk to user data [2]. The malware employs deceptive tactics [2] [7], such as generating misleading error messages [2], to trick users into thinking it did not execute as intended [2]. It also checks for virtual machine environments and gathers information from victims before connecting to its command and control server for further instructions [2].
JaskaGO can perform various actions [2], such as establishing persistence [2] [7], stealing information [2] [7], executing shell commands [2] [3] [5] [6] [7], and retrieving running processes [2]. It has robust data exfiltration capabilities [2], storing acquired data in a dedicated folder before compressing and sending it to the threat actor [2]. The malware primarily targets Chrome and Firefox browsers but can be configured for additional browsers [2]. The complexity of JaskaGO highlights the need for strong cybersecurity measures to mitigate its impact on user data and system security [2].
References
[1] https://www.techradar.com/pro/security/windows-and-macos-targeted-by-new-go-based-malware
[2] https://www.pcrisk.com/removal-guides/28651-jaskago-malware
[3] https://www.claytoncountyregister.com/news2/new-go-based-jaskago-malware-targeting-windows-and-macos-systems/942027/
[4] https://heimdalsecurity.com/blog/jaskago-malware/
[5] https://owasp.or.id/2023/12/20/new-go-based-jaskago-malware-targeting-windows-and-macos-systems/
[6] https://thehackernews.com/2023/12/new-go-based-jaskago-malware-targeting.html
[7] https://securityaffairs.com/156185/malware/jaskago-information-stealer-macos-windows.html
