A beforehand unknown and technically subtle advanced persistent threat (APT) framework that has been in operation for 5 years has been found. Revealed by Kaspersky Lab and dubbed Challenge TajMahal, the newly found APT framework incorporates as much as 80 malicious modules saved in its encrypted digital file system (VFS) together with backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, display screen and webcam grabbers, paperwork and cryptography key stealers, and its personal file indexer.
“The massive quantity of plugins that implement numerous options is one thing we now have by no means earlier than seen in every other APT exercise,” the corporate stated in its analysis of the malware.
What can we find out about TajMahal?
Whether or not this was developed by a beforehand recognized APT group is unclear, as is the last word objective of the assault. The corporate’s evaluation of the malware prompt it might date again so far as August 2013, whereas the “diplomatic entity” was contaminated a 12 months later in August 2014. The latest pattern Kaspersky discovered was from August 2018, suggesting the group remains to be energetic.
To this point, TajMahal has just one confirmed sufferer, an unnamed “central Asian diplomatic entity.” Nevertheless, Kaspersky warned that such subtle work wouldn’t be developed and used in opposition to one goal. “It appears extremely unlikely that such an enormous funding can be undertaken for just one sufferer,” stated Alexey Shulmin, lead malware analyst at Kaspersky Lab. “This means that there are both additional victims not but recognized, or extra variations of this malware within the wild, or probably each.”
“The technical complexity of TajMahal makes it a really worrying discovery, and the variety of victims recognized to this point is more likely to enhance,” Shulmin added. “By some means, it has stayed underneath the radar for over 5 years. Whether or not this is because of relative inactivity or one thing else is one other intriguing query.”
What can TajMahal do?
Named after the XML file used for information exfiltration, TajMahal is made up of two packages: Tokyo and Yokohama. Tokyo acts as the primary again door (by way of PowerShell) and supply mechanism for Yokohama, periodically connects with the command and management servers and stays on the sufferer system as a backup. Yokahama is the primary payload and features a VFS with all plugins, open-source and proprietary third-party libraries, and configuration information.
It is ready to steal cookies, intercept paperwork from the print queue, file audio, take screenshots, index information (together with these on exterior drives related to contaminated gadgets) and steal particular information when subsequent they’re detected, and take data burned on CDs. The actual fact its code base or infrastructure isn’t shared with different recognized APTs is probably going why it was capable of stay undetected for therefore lengthy.
What don’t we find out about TajMahal?
Kaspersky’s discovery, whereas noteworthy, throws up many questions that haven’t been answered:
Who’s behind TajMahal? Kaspersky hasn’t recognized any potential group that could possibly be behind TajMahal and there are not any attribution clues nor any hyperlinks to recognized menace teams. In accordance to ThreatPost, the one recognized sufferer was beforehand unsuccessfully focused by Zebrocy, a malware pressure related to the Russian-linked hacking group Fancy Bear (often known as APT28, Pawn Storm, Sofacy Group and others). Kaspersky notes that the Russian-linked Turla/Uroboros Trojan additionally concerned a backdoor often known as TadjMakhal.
How does it unfold? To this point, Kaspersky has stated that distribution and an infection vectors are remains to be unknown.
What had been they after? On condition that it was capable of take screenshots, file audio, keystrokes, paperwork, messages despatched by way of instantaneous messaging and extra, it’s unclear what intel the attackers had been really after. On condition that the one recognized sufferer was a diplomatic entity, it’s more likely to be delicate data.