Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

4/16/2019
06:10 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Decoding a 'New' Elite Cyber Espionage Team

Stealthy and well-heeled hacking group went undetected for five years and wields a massive attack framework of some 80 different modules.

It's an expansive cyber espionage operation that canvasses a victim's network with backdoors, loaders, keyloggers, screen and webcam grabbers, and audio recorders, and it even siphons data from printer queues, burned CDs, and Apple iOS smartphone backups.  

The so-called TajMahal attack framework operated invisibly for five years until it was uncloaked last fall by researchers at Kaspersky Lab who found it embedded deep in the network of a diplomatic organization in Central Asia, where it had been spying and stealing documents since 2014. TajMahal comes with a whopping 80 different attack modules, including an unusual and rare one that lets the attacker steal specific files from a USB stick when the device is inserted into a computer.

Given the breadth of TajMahal's attack arsenal, there are likely other victims that have not yet been identified. "They're possibly using this framework elsewhere, but we're not [able to see] in those organizations. It would be highly unusual for a malware set that looks like this to be for" a single use, said Kurt Baumgartner, principal security researcher with Kaspersky Lab, in an interview last week at the Kaspersky Security Analyst Summit in Singapore, where the company shared its findings on TajMahal. 

The researchers found no ties between TajMahal to existing nation-state threat groups, nor any similarities in its code base to others'. It appears to be a "new," previously unknown cyber espionage group that's especially advanced and well resourced and that expects to be well entrenched in a victim's network for long periods of time, according to Baumgartner. "They actually exfiltrate an entire mobile phone backup — that's something that takes a lot of time."

While TajMahal's mobile-theft capability is rare, it's also reminiscent of the epic Red October APT cyber espionage campaign that Kaspersky Lab first unearthed in 2013. "Red October built out modules that were purpose-built for exfiltrating mobile data," Baumgartner said.

Red October stole terabytes of information from computers, smartphones, routers, and VoIP phones of government, diplomatic, and scientific research organizations spanning multiple regions worldwide, and at the time was considered one of the most sophisticated cyber espionage operations in the world.

Baumgartner said TajMahal, with its massive number of plug-in modules, falls into the category of a well-resourced APT like Flame and Duqu, two other infamous cyber espionage attack groups. Another interesting element of TajMahal is its virtual file system (VFS), an indexed and encrypted file system it uses for its attack tools, he said.

It's likely the attackers also have changed IP addresses to evade detection, according to Alexey Shulman, lead malware analyst at Kaspersky Lab. "They are probably on other machines" that haven't yet been discovered, he said.

Tokyo & Yokohama
TajMahal, which was named after the file the attackers use to exfiltrate data, is made up of two main components: Tokyo and Yokohama. Tokyo helps launch the first stage of the attack, and includes three modules, including the main backdoor and command-and-control communication, using PowerShell to remain hidden in the network.

Yokohama is the second stage of the attack, the full-blown spying operation, and uses the attackers' VFS with the 80 modules, which also include command-and-control communicators, cryptography key stealers, and browser cookie stealers that target Internet Explorer, Firefox, and Netscape Navigator, for example.

Still unknown, however, is the initial attack or infection vector for TajMahal.

While Kaspersky researchers declined to speculate on which nation-state is behind TajMahal, other experts say its well-resourced and comprehensive attack arsenal indicates that it's one of the most advanced APT groups in operation. "The modular nature of the code, coupled with advanced persistence features to engage in proximity attacks, makes it truly formidable," says Tom Kellermann, chief cybersecurity officer at Carbon Black. "This code is being selectively deployed across the [Central Asia] region and should serve as a harbinger of APTs to come." 

TajMahal's capabilities demonstrate how cyberattacks can be executed "in the physical world" as well, Kellermann says, by pilfering data from printer queues, burned CDs, and USBs, and turning on computer microphones and cameras from afar.

While protecting networks from determined nation-states and other advanced attackers is never foolproof, the usual best practices can minimize exposure. Kaspersky Lab recommends schooling users on phishing and social engineering scams, keeping software updated, and employing advanced endpoint security tools.

The researchers also released indicators of compromise and other technical details for TajMahal.

Related Content:

 

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tonny123
50%
50%
tonny123,
User Rank: Apprentice
6/15/2019 | 1:01:24 AM
Netgear Router issues
All the users must be familiar with all the tricks of cybersecurity that will be fruitful for them. To take any kind of useful suggestion that will help them to sort out easily.
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36197
PUBLISHED: 2021-05-13
An improper access control vulnerability has been reported to affect earlier versions of Music Station. If exploited, this vulnerability allows attackers to compromise the security of the software by gaining privileges, reading sensitive information, executing commands, evading detection, etc. This ...
CVE-2020-36198
PUBLISHED: 2021-05-13
A command injection vulnerability has been reported to affect certain versions of Malware Remover. If exploited, this vulnerability allows remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Malware Remover versions prior to 4.6.1.0. This issue does not affect: QNAP...
CVE-2021-28799
PUBLISHED: 2021-05-13
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3...
CVE-2021-22155
PUBLISHED: 2021-05-13
An Authentication Bypass vulnerability in the SAML Authentication component of BlackBerry Workspaces Server (deployed with Appliance-X) version(s) 10.1, 9.1 and earlier could allow an attacker to potentially gain access to the application in the context of the targeted user’s acco...
CVE-2021-23134
PUBLISHED: 2021-05-12
Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.2 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.