Home Malware New TajMahal APT found by Kaspersky has one recognized sufferer, seemingly others

New TajMahal APT found by Kaspersky has one recognized sufferer, seemingly others

by ethhack

A beforehand unknown and technically subtle advanced persistent threat (APT) framework that has been in operation for 5 years has been found. Revealed by Kaspersky Lab and dubbed Challenge TajMahal, the newly found APT framework incorporates as much as 80 malicious modules saved in its encrypted digital file system (VFS) together with backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, display screen and webcam grabbers, paperwork and cryptography key stealers, and its personal file indexer.

“The massive quantity of plugins that implement numerous options is one thing we now have by no means earlier than seen in every other APT exercise,” the corporate stated in its analysis of the malware.

What can we find out about TajMahal?

Whether or not this was developed by a beforehand recognized APT group is unclear, as is the last word objective of the assault. The corporate’s evaluation of the malware prompt it might date again so far as August 2013, whereas the “diplomatic entity” was contaminated a 12 months later in August 2014. The latest pattern Kaspersky discovered was from August 2018, suggesting the group remains to be energetic.

To this point, TajMahal has just one confirmed sufferer, an unnamed “central Asian diplomatic entity.” Nevertheless, Kaspersky warned that such subtle work wouldn’t be developed and used in opposition to one goal. “It appears extremely unlikely that such an enormous funding can be undertaken for just one sufferer,” stated Alexey Shulmin, lead malware analyst at Kaspersky Lab. “This means that there are both additional victims not but recognized, or extra variations of this malware within the wild, or probably each.”

“The technical complexity of TajMahal makes it a really worrying discovery, and the variety of victims recognized to this point is more likely to enhance,” Shulmin added. “By some means, it has stayed underneath the radar for over 5 years. Whether or not this is because of relative inactivity or one thing else is one other intriguing query.”

What can TajMahal do?

Named after the XML file used for information exfiltration, TajMahal is made up of two packages: Tokyo and Yokohama. Tokyo acts as the primary again door (by way of PowerShell) and supply mechanism for Yokohama, periodically connects with the command and management servers and stays on the sufferer system as a backup. Yokahama is the primary payload and features a VFS with all plugins, open-source and proprietary third-party libraries, and configuration information.

Source link

Related Articles

Leave a Comment