Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

4/16/2019
06:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Decoding a 'New' Elite Cyber Espionage Team

Stealthy and well-heeled hacking group went undetected for five years and wields a massive attack framework of some 80 different modules.

It's an expansive cyber espionage operation that canvasses a victim's network with backdoors, loaders, keyloggers, screen and webcam grabbers, and audio recorders, and it even siphons data from printer queues, burned CDs, and Apple iOS smartphone backups.  

The so-called TajMahal attack framework operated invisibly for five years until it was uncloaked last fall by researchers at Kaspersky Lab who found it embedded deep in the network of a diplomatic organization in Central Asia, where it had been spying and stealing documents since 2014. TajMahal comes with a whopping 80 different attack modules, including an unusual and rare one that lets the attacker steal specific files from a USB stick when the device is inserted into a computer.

Given the breadth of TajMahal's attack arsenal, there are likely other victims that have not yet been identified. "They're possibly using this framework elsewhere, but we're not [able to see] in those organizations. It would be highly unusual for a malware set that looks like this to be for" a single use, said Kurt Baumgartner, principal security researcher with Kaspersky Lab, in an interview last week at the Kaspersky Security Analyst Summit in Singapore, where the company shared its findings on TajMahal. 

The researchers found no ties between TajMahal to existing nation-state threat groups, nor any similarities in its code base to others'. It appears to be a "new," previously unknown cyber espionage group that's especially advanced and well resourced and that expects to be well entrenched in a victim's network for long periods of time, according to Baumgartner. "They actually exfiltrate an entire mobile phone backup — that's something that takes a lot of time."

While TajMahal's mobile-theft capability is rare, it's also reminiscent of the epic Red October APT cyber espionage campaign that Kaspersky Lab first unearthed in 2013. "Red October built out modules that were purpose-built for exfiltrating mobile data," Baumgartner said.

Red October stole terabytes of information from computers, smartphones, routers, and VoIP phones of government, diplomatic, and scientific research organizations spanning multiple regions worldwide, and at the time was considered one of the most sophisticated cyber espionage operations in the world.

Baumgartner said TajMahal, with its massive number of plug-in modules, falls into the category of a well-resourced APT like Flame and Duqu, two other infamous cyber espionage attack groups. Another interesting element of TajMahal is its virtual file system (VFS), an indexed and encrypted file system it uses for its attack tools, he said.

It's likely the attackers also have changed IP addresses to evade detection, according to Alexey Shulman, lead malware analyst at Kaspersky Lab. "They are probably on other machines" that haven't yet been discovered, he said.

Tokyo & Yokohama
TajMahal, which was named after the file the attackers use to exfiltrate data, is made up of two main components: Tokyo and Yokohama. Tokyo helps launch the first stage of the attack, and includes three modules, including the main backdoor and command-and-control communication, using PowerShell to remain hidden in the network.

Yokohama is the second stage of the attack, the full-blown spying operation, and uses the attackers' VFS with the 80 modules, which also include command-and-control communicators, cryptography key stealers, and browser cookie stealers that target Internet Explorer, Firefox, and Netscape Navigator, for example.

Still unknown, however, is the initial attack or infection vector for TajMahal.

While Kaspersky researchers declined to speculate on which nation-state is behind TajMahal, other experts say its well-resourced and comprehensive attack arsenal indicates that it's one of the most advanced APT groups in operation. "The modular nature of the code, coupled with advanced persistence features to engage in proximity attacks, makes it truly formidable," says Tom Kellermann, chief cybersecurity officer at Carbon Black. "This code is being selectively deployed across the [Central Asia] region and should serve as a harbinger of APTs to come." 

TajMahal's capabilities demonstrate how cyberattacks can be executed "in the physical world" as well, Kellermann says, by pilfering data from printer queues, burned CDs, and USBs, and turning on computer microphones and cameras from afar.

While protecting networks from determined nation-states and other advanced attackers is never foolproof, the usual best practices can minimize exposure. Kaspersky Lab recommends schooling users on phishing and social engineering scams, keeping software updated, and employing advanced endpoint security tools.

The researchers also released indicators of compromise and other technical details for TajMahal.

Related Content:

 

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tonny123
50%
50%
tonny123,
User Rank: Apprentice
6/15/2019 | 1:01:24 AM
Netgear Router issues
All the users must be familiar with all the tricks of cybersecurity that will be fruitful for them. To take any kind of useful suggestion that will help them to sort out easily.
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.