A beforehand unknown and technically refined advanced persistent threat (APT) framework that has been in operation for 5 years has been found. Revealed by Kaspersky Lab and dubbed Undertaking TajMahal, the newly found APT framework incorporates as much as 80 malicious modules saved in its encrypted digital file system (VFS) together with backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, display and webcam grabbers, paperwork and cryptography key stealers, and its personal file indexer.
What can we find out about TajMahal?
Whether or not this was developed by a beforehand recognized APT group is unclear, as is the final word aim of the assault. The corporate’s evaluation of the malware steered it may date again so far as August 2013, whereas the “diplomatic entity” was contaminated a yr later in August 2014. The newest pattern Kaspersky discovered was from August 2018, suggesting the group continues to be lively.
Up to now, TajMahal has just one confirmed sufferer, an unnamed “central Asian diplomatic entity.” Nonetheless, Kaspersky warned that such refined work wouldn’t be developed and used in opposition to one goal. “It seems highly unlikely that such a huge investment would be undertaken for only one victim,” mentioned Alexey Shulmin, lead malware analyst at Kaspersky Lab. “This suggests that there are either further victims not yet identified, or additional versions of this malware in the wild, or possibly both.”
“The technical complexity of TajMahal makes it a very worrying discovery, and the number of victims identified thus far is likely to increase,” Shulmin added. “Somehow, it has stayed under the radar for over five years. Whether this is due to relative inactivity or something else is another intriguing question.”
What can TajMahal do?
Named after the XML file used for knowledge exfiltration, TajMahal is made up of two packages: Tokyo and Yokohama. Tokyo acts as the primary again door (through PowerShell) and supply mechanism for Yokohama, periodically connects with the command and management servers and stays on the sufferer system as a backup. Yokahama is the primary payload and features a VFS with all plugins, open-source and proprietary third-party libraries, and configuration recordsdata.
It is ready to steal cookies, intercept paperwork from the print queue, report audio, take screenshots, index recordsdata (together with these on exterior drives related to contaminated units) and steal particular recordsdata when subsequent they’re detected, and take info burned on CDs. The actual fact its code base or infrastructure isn’t shared with different recognized APTs is probably going why it was in a position to stay undetected for therefore lengthy.
What don’t we find out about TajMahal?
Kaspersky’s discovery, whereas noteworthy, throws up many questions that haven’t been answered:
Who’s behind TajMahal? Kaspersky hasn’t recognized any potential group that might be behind TajMahal and there aren’t any attribution clues nor any hyperlinks to recognized menace teams. In accordance to ThreatPost, the one recognized sufferer was beforehand unsuccessfully focused by Zebrocy, a malware pressure related to the Russian-linked hacking group Fancy Bear (also called APT28, Pawn Storm, Sofacy Group and others). Kaspersky notes that the Russian-linked Turla/Uroboros Trojan additionally concerned a backdoor referred to as TadjMakhal.
How does it unfold? Up to now, Kaspersky has mentioned that distribution and an infection vectors are continues to be unknown.
What had been they after? Provided that it was in a position to take screenshots, report audio, keystrokes, paperwork, messages despatched through prompt messaging and extra, it’s unclear what intel the attackers had been truly after. Provided that the one recognized sufferer was a diplomatic entity, it’s more likely to be delicate info.
This story, “New TajMahal APT discovered by Kaspersky with an unknown number of victims” was initially revealed by