A new highly sophisticated advanced persistent threat (APT) framework targeting a single Central Asian diplomatic agency was discovered by the researchers at Kaspersky Lab. The malware samples associated with the APT reveals a complex never-before-seen code base which makes it difficult to detect.
The APT named as TajMahal, was found by Kaspersky late 2018. It is found that the samples examined shows that the cyberespionage group behind the attack were active since August 2014.
The attackers developed this framework in two parts or packages called “Tokyo” and “Yokohama” that together contain 80 malicious modules.
According to the researchers who released report on TajMahal at the 2019 Security Analyst Summit, this is one the highest number of plugins which was ever seen for any APT toolset
The attackers’ toolkit includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even a file indexer to organize data from a target’s machine.
It has an interesting function which is the ability to steal documents from removable storage devices, like a USB drive. First the files on external drive are identified, and then on using it for the second time, only the targeted file on the drive is exfiltrated.
Kaspersky doesn’t share the details about who has been targeted by TajMahal in this most recent campaign, beyond a Central Asian diplomatic agency.
Alexey Shulmin, lead malware analyst at Kaspersky, said that the APT’s complex communication protocol matches TajMahal’s sophisticated arsenal of plugins.
He stated that it has two types of command-and-control servers namely emergency and regular. Emergency ones are used to deliver emergency commands to the APT (to uninstall itself, to restore itself, to use the regular C&Cs or to retain inactive mode) by changing the IP addresses of the emergency domains.
It was named as TajMahal as it is the name which the attackers gave an XML file used for data exfiltration. The researcher claimed that it is similar to a reference to an operation named “TadjMakhal” found in an older Turla threat group sample.
The only known victim of TajMahal also seem to have been targeted by Zebrocy, although unsuccessfully. Zebrocy is a tool associated with the APT group Sofacy.
TajMahal is exceptional for its secrecy. Developers have worked hard to keep it undetected as they had made use of an entirely new code base.
Remarkable resources are required to create an APT, so the developers will try to integrate previously used code into any new project – to make the APT-creation process cheaper. But the usage of already existing code makes it easier to detect the APT. Here, the complete APT is created afresh making it difficult to detect.
The TajMahal framework is however very interesting as it has great technical sophistication together with a huge number of plugins that implement a number of features which were not seen earlier in any other APT activity.
Still there are several things unclear about TajMahal – such as how targets are getting infected. But it is sure that with Kaspersky’s exposure of TajMahal, the attackers must have to start it all once again from scratch.