Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

4/16/2019
06:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Decoding a 'New' Elite Cyber Espionage Team

Stealthy and well-heeled hacking group went undetected for five years and wields a massive attack framework of some 80 different modules.

It's an expansive cyber espionage operation that canvasses a victim's network with backdoors, loaders, keyloggers, screen and webcam grabbers, and audio recorders, and it even siphons data from printer queues, burned CDs, and Apple iOS smartphone backups.  

The so-called TajMahal attack framework operated invisibly for five years until it was uncloaked last fall by researchers at Kaspersky Lab who found it embedded deep in the network of a diplomatic organization in Central Asia, where it had been spying and stealing documents since 2014. TajMahal comes with a whopping 80 different attack modules, including an unusual and rare one that lets the attacker steal specific files from a USB stick when the device is inserted into a computer.

Given the breadth of TajMahal's attack arsenal, there are likely other victims that have not yet been identified. "They're possibly using this framework elsewhere, but we're not [able to see] in those organizations. It would be highly unusual for a malware set that looks like this to be for" a single use, said Kurt Baumgartner, principal security researcher with Kaspersky Lab, in an interview last week at the Kaspersky Security Analyst Summit in Singapore, where the company shared its findings on TajMahal. 

The researchers found no ties between TajMahal to existing nation-state threat groups, nor any similarities in its code base to others'. It appears to be a "new," previously unknown cyber espionage group that's especially advanced and well resourced and that expects to be well entrenched in a victim's network for long periods of time, according to Baumgartner. "They actually exfiltrate an entire mobile phone backup — that's something that takes a lot of time."

While TajMahal's mobile-theft capability is rare, it's also reminiscent of the epic Red October APT cyber espionage campaign that Kaspersky Lab first unearthed in 2013. "Red October built out modules that were purpose-built for exfiltrating mobile data," Baumgartner said.

Red October stole terabytes of information from computers, smartphones, routers, and VoIP phones of government, diplomatic, and scientific research organizations spanning multiple regions worldwide, and at the time was considered one of the most sophisticated cyber espionage operations in the world.

Baumgartner said TajMahal, with its massive number of plug-in modules, falls into the category of a well-resourced APT like Flame and Duqu, two other infamous cyber espionage attack groups. Another interesting element of TajMahal is its virtual file system (VFS), an indexed and encrypted file system it uses for its attack tools, he said.

It's likely the attackers also have changed IP addresses to evade detection, according to Alexey Shulman, lead malware analyst at Kaspersky Lab. "They are probably on other machines" that haven't yet been discovered, he said.

Tokyo & Yokohama
TajMahal, which was named after the file the attackers use to exfiltrate data, is made up of two main components: Tokyo and Yokohama. Tokyo helps launch the first stage of the attack, and includes three modules, including the main backdoor and command-and-control communication, using PowerShell to remain hidden in the network.

Yokohama is the second stage of the attack, the full-blown spying operation, and uses the attackers' VFS with the 80 modules, which also include command-and-control communicators, cryptography key stealers, and browser cookie stealers that target Internet Explorer, Firefox, and Netscape Navigator, for example.

Still unknown, however, is the initial attack or infection vector for TajMahal.

While Kaspersky researchers declined to speculate on which nation-state is behind TajMahal, other experts say its well-resourced and comprehensive attack arsenal indicates that it's one of the most advanced APT groups in operation. "The modular nature of the code, coupled with advanced persistence features to engage in proximity attacks, makes it truly formidable," says Tom Kellermann, chief cybersecurity officer at Carbon Black. "This code is being selectively deployed across the [Central Asia] region and should serve as a harbinger of APTs to come." 

TajMahal's capabilities demonstrate how cyberattacks can be executed "in the physical world" as well, Kellermann says, by pilfering data from printer queues, burned CDs, and USBs, and turning on computer microphones and cameras from afar.

While protecting networks from determined nation-states and other advanced attackers is never foolproof, the usual best practices can minimize exposure. Kaspersky Lab recommends schooling users on phishing and social engineering scams, keeping software updated, and employing advanced endpoint security tools.

The researchers also released indicators of compromise and other technical details for TajMahal.

Related Content:

 

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-7201
PUBLISHED: 2019-05-22
CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel.
CVE-2018-7803
PUBLISHED: 2019-05-22
A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in Triconex TriStation Emulator V1.2.0, which could cause the emulator to crash when sending a specially crafted packet. The emulator is used infrequently for application logic testing. It is susceptible to an attack...
CVE-2018-7844
PUBLISHED: 2019-05-22
A CWE-200: Information Exposure vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause the disclosure of SNMP information when reading memory blocks from the controller over Modbus.
CVE-2018-7853
PUBLISHED: 2019-05-22
A CWE-248: Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause denial of service when reading invalid physical memory blocks in the controller over Modbus
CVE-2018-7854
PUBLISHED: 2019-05-22
A CWE-248 Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause a denial of Service when sending invalid debug parameters to the controller over Modbus.