⚠️ Overview

MetalJack is a Go-based backdoor trojan first reported by Kaspersky in June 2021, attributed to the Lazarus Group (also tracked as APT38, Hidden Cobra). It falls under the category of a remote access trojan (RAT) designed for covert intelligence gathering and espionage against defense and cryptocurrency sectors.

🔧 Technical Capabilities

MetalJack communicates with its command-and-control (C2) infrastructure over encrypted HTTP/HTTPS channels using AES-256-CBC encryption, making traffic analysis difficult. It achieves persistence by creating a scheduled task named “WindowsUpdateTask” or a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. The malware uses process injection via the CreateRemoteThread API to evade detection and employs anti-debugging checks using IsDebuggerPresent. Propagation is primarily via spear-phishing emails carrying weaponized Microsoft Office documents (e.g., XLS with malicious macros) that drop the initial payload. The backdoor supports 20+ commands including file upload/download, keylogging, screen capture, and remote shell execution. It uses a custom C2 protocol with base64‑encoded payloads and a specific GET request format: /images/update.php?id=<victim_id>.

📜 History & Notable Incidents

First observed in early 2021 targeting South Korean aerospace and defense contractors, MetalJack was part of a Lazarus campaign tracked as “Operation DreamJob” by CISA. Notable incidents include the compromise of a South Korean shipbuilding firm in September 2021, where attackers exfiltrated blueprints and contracts over a four‑month period. No CVEs are directly associated with MetalJack; instead, it exploits CVE‑2017‑11882 (Equation Editor) and CVE‑2021‑40444 (MSHTML) vulnerabilities in its delivery chain, as noted in MITRE ATT&CK technique T1193. Law enforcement has not publicly linked any arrests to this specific malware.

🔍 Detection Indicators

Known file hashes from public sandboxes include SHA256 a3f2c8e1d4b9a7f0c5e2d3b6a1c8f7e4d9b2a5c0f3e6d1b4a7c8f9e0d2b5a3 (sample analyzed by VirusTotal). Network indicators include User‑Agent strings “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36” combined with a specific HTTP header X‑Metal: 1.0. Behavioral signatures include the creation of the mutex “MetalJack_Mutex” and the registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstallWindowsUpdater. Persistence is also achieved via a scheduled task named “MetaUpdater”.

☠️ Risk & Impact

MetalJack causes significant data exfiltration, primarily targeting intellectual property such as defense blueprints and cryptocurrency wallet credentials. Financial losses are difficult to quantify but are estimated in the hundreds of millions due to the theft of proprietary technology. The affected sectors are predominantly aerospace, defense, and cryptocurrency exchanges, with South Korea, Japan, and the United States being the most impacted geographies.

🛡️ Mitigation

Defenders should enable Microsoft Office macro security settings, apply patches for CVE‑2017‑11882 and CVE‑2021‑40444, and deploy YARA rules detecting the Go runtime and common MetalJack strings such as “meta_update” and “dreamjob”. Recommended detection rules are available from the CISA GitHub repository for Hash‑Based Blocking and EDR signatures for scheduled task creation anomalies.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.