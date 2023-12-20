A new malware called JaskaGO, based on Go (also called Golang, a programming language created by Google) appeared recently as the latest threat affecting multiple platforms capable of infiltrating both Windows and Apple macOS systems.

AT&T Alien Labs, which made the discovery, has declared that the malware is “equipped with a wide range of commands coming from its command and control (C&C) server“.

How JaskaGO works and what problems it can cause

Artifacts designed for macOS they were first observed in July 2023, pretending to be installers of legitimate software like CapCut. Other variants of the malware disguised themselves as AnyConnect and security tools.

Upon installation, JaskaGO performs checks to determine whether it is running within a virtual machine environment (VM) and, if so, performs a harmless operation such as pinging Google or printing a random number, probably in an attempt to go unnoticed.

In other scenarios, JaskaGO proceeds to collect information from the victim's system and establishes a connection with its own C&C (command and control) to receive further instructions, including executing shell commands, enumerating running processes, and downloading additional payloads.

It is also able to edit the clipboard to facilitate cryptocurrency theft by replacing wallet addresses and stealing files and data from web browsers.

“On macOS, JaskaGO uses a multi-step process to establish persistence within the system“said security researcher Ofer Caspi, outlining its abilities to run itself with root permissions, disable Gatekeeper protections and create a daemon custom boot agent (or a boot agent) to ensure that it starts automatically during system startup.

Currently it is not known how the malware is distributed and whether it involves phishing or malvertising lures, therefore the scope of the campaign still remains unclear.

“JaskaGO contributes to a growing trend in malware development that leverages the Go programming language“said Caspi. “Go, also known as Golang, is recognized for its simplicity, efficiency, and cross-platform capabilities [multipiattaforma]. Its ease of use has made it an attractive choice for malware authors looking to create versatile and sophisticated threats.”

Cases similar to JaskaGO

There are several cases of malware and cyber threats that have affected both Windows and macOS systems, although not all are necessarily related to the Go programming language. Here are some examples:

Flashbacks (2011) : era a trojan for macOS which exploited a vulnerability in Java to infect systems. It has demonstrated the ability to spread massively.

: era which exploited a vulnerability in Java to infect systems. It has demonstrated the ability to spread massively. WannaCry (2017): was a large-scale ransomware attack which exploited a vulnerability in Windows. It spread rapidly across the world, causing considerable damage.

was a which exploited a vulnerability in Windows. It spread rapidly across the world, causing considerable damage. CoinTicker (2018): it was adware designed for macOS that displayed fraudulent advertisements including cryptocurrency mining without user consent.

it was adware including cryptocurrency mining without user consent. NotPetya (2017): it was a ransomware that mainly affected businesses. It spread by exploiting a vulnerability in Ukrainian administrative accounting software.

it was a ransomware that mainly affected businesses. OSX/Dok (2017): was malware targeting macOS users, trying to intercept encrypted web communications and obtain sensitive information .

was malware targeting macOS users, . Emotet (2014 – 2021): was a banking trojan initially designed to steal financial information. Over time, it has evolved its functionality and become a vehicle for the distribution of other malware, including ransomware.

was a banking trojan initially designed to steal financial information. Bad Rabbit (2017): it was a targeted ransomware attack mainly to systems in Eastern Europe. It spread through a guise of an update to Adobe Flash (now discontinued).

Note that the cyber threat landscape is constantly evolving, and new malware can emerge at any time, therefore cybersecurity requires a combination of best practices, regular updates and user awareness to mitigate risks.