A new information stealer malware, named JaskaGO, has surfaced as a cross-platform threat affecting both Windows and Apple macOS systems. Discovered by AT&T Alien Labs, the malware is built using the Go programming language and is noted for its extensive array of commands received from a command-and-control (C&C) server.

The macOS-specific artifacts of JaskaGO were initially identified in July 2023, posing as installers for legitimate software like CapCut, AnyConnect, and security tools. Upon installation, the malware conducts checks to determine if it is running within a virtual machine (VM) environment, executing harmless tasks like pinging Google or printing a random number to avoid detection.

In certain scenarios, JaskaGO proceeds to gather information from the victim’s system and establishes a connection to its C&C server for further instructions. These instructions include executing shell commands, enumerating running processes, and downloading additional payloads. The malware is also capable of modifying the clipboard to facilitate cryptocurrency theft by replacing wallet addresses and extracting files and data from web browsers.

On macOS, JaskaGO utilizes a multi-step process to establish persistence within the system. This includes running with root permissions, disabling Gatekeeper protections, and creating a custom launch daemon or launch agent to ensure automatic execution during system startup.

The distribution method of JaskaGO is currently unknown, and it remains unclear whether it involves phishing or malvertising lures. The scale of the campaign is yet to be determined.

Security researcher Ofer Caspi emphasized that JaskaGO is part of a growing trend in malware development utilizing the Go programming language (Golang). Known for its simplicity, efficiency, and cross-platform capabilities, Golang has become an attractive choice for malware authors aiming to create versatile and sophisticated threats.