A new Go-based information-stealing malware is called Jaska GO It has become the latest cross-platform threat to penetrate Windows and Apple macOS systems.
AT&T Alien Labs, which discovered the situation, said the malware “comes with a large number of commands from its command and control (C&C) server.”
The artifact designed for macOS was first discovered in July 2023 and imitates the installers of legitimate software such as CapCut. Other variants of the malware are disguised as AnyConnect and security tools.
Once installed, JaskaGO performs a check to determine if it is executing in a virtual machine (VM) environment and, if so, performs a harmless task such as pinging Google or printing a nonce to stay under the radar.
In other scenarios, JaskaGO continues to collect messages from the victim’s system and establishes a connection to its C&C to receive further instructions, including executing shell commands, enumerating running processes, and downloading additional payloads.
It can also modify the clipboard to facilitate cryptocurrency theft by replacing wallet addresses and stealing files and data from web browsers.
“On macOS, JaskaGO uses a multi-step process to establish persistence within the system,” said security researcher Ofer Caspi, outlining its methods of running itself with root privileges, disabling Gatekeeper protection, and creating a custom boot daemon (or boot agent). Function. to ensure it starts automatically when the system starts.
It is unclear how the malware spreads and whether phishing or malvertising bait is involved. The scale of the event is currently unclear.
“JaskaGO contributes to the growing trend of malware development using the Go programming language,” Caspi said.
“Go, also known as Golang, is known for its simplicity, efficiency, and cross-platform functionality. Its ease of use makes it an attractive choice for malware authors looking to create versatile and sophisticated threats.”
