Windows and macOS users are being targeted by JaskaGO, a rare instance of cross-platform malware capable of data exfiltration, second-stage malware deployment and more, experts warn.
According to AT&T Alien Labs, which exposed the threat, JaskaGO is written in the Go programming language and equipped with an “extensive set of commands from the command-and-control (C&C) server.”
Although the delivery methods differ, the researchers say that for Apple users, JaskaGo mimics the CapCut and AnyConnect installers, among others.
Tracking the clipboard for crypto payments
Once installed, the malware first runs tests to see if it works in a sandbox. If it detects that it is being opened in a virtual machine environment, it will perform pointless tasks to avoid being flagged as malicious. On the other hand, if it considers the environment to be a legitimate target, it will collect system data and attempt to connect to its C2.
The malware can perform various actions, including executing shell commands, enumerating running processes, and downloading additional malware. It can also track the clipboard for cryptocurrency wallet addresses.
Typically, crypto users would conduct transactions by copying and pasting the recipient's address (since it's a long string of seemingly random characters that's almost impossible to remember) into an app or service. By monitoring the clipboard, the malware can inject the attacker's address, causing the victim to paste the wrong string and send the funds to a wallet controlled by the attacker.
“On macOS, JaskaGO uses a multi-step process to establish persistence within the system,” security researcher Ofer Caspi told us. The HackerNews.
At this time, AT&T Alien Labs researchers do not know how JaskaGo is delivered to most users and whether phishing or social engineering is involved. They also cannot estimate the number of infected devices at this time.
“JaskaGO contributes to a growing trend in malware development by leveraging the Go programming language,” Caspi added. “Go, also known as Golang, is known for its simplicity, efficiency, and cross-platform capabilities. Its ease of use has made it an attractive choice for malware authors looking to create versatile and advanced threats.”