SINGAPORE – Researchers at Kaspersky Lab have discovered a new, highly sophisticated advanced persistent threat (APT) framework targeting a single Central Asian diplomatic agency. Malware samples associated with the APT reveal a complex never-before-seen code base, making it extremely hard to detect.
The APT, called TajMahal, was found by Kaspersky late 2018. Samples examined suggest the cyberespionage group behind the attack has been active since August 2014.
What makes TajMahal so sophisticated? The criminals behind the development of this framework created two parts, or packages, named “Tokyo” and “Yokohama” that together contain 80 malicious modules. “This is one the highest number of plugins we’ve ever seen for any APT toolset,” according to researchers, who released a report on TajMahal on Wednesday at the 2019 Security Analyst Summit.
Kaspersky said the attackers’ toolkit includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even a file indexer to organize data from a target’s machine.
One particularly interesting function is the ability to steal documents from removable storage devices, such as a USB drive. Files on external drive are first identified, then upon second use of the drive only the targeted file on the drive is exfiltrated.
Palace Intrigue
Kaspersky isn’t sharing the details on who specifically TajMahal targeted in this most recent campaign, beyond a Central Asian diplomatic agency. “A likely hypothesis would be that there are other additional victims we haven´t found yet,” Kaspersky said.
Alexey Shulmin, lead malware analyst at Kaspersky, said that the APT’s complex communication protocol matches TajMaha’s sophisticated arsenal of plugins.
“It has two types of command-and-control servers: emergency and regular,” Shulmin said. “Emergency ones are used to deliver emergency commands to the APT (to uninstall itself, to restore itself, to use the regular C&Cs or to retain inactive mode) by changing the IP addresses of the emergency domains. It is a very tricky and interesting approach.”
The moniker TajMahal was given the group because that’s the name the attackers gave an XML file used for data exfiltration. That’s similar to a references to an operation named “TadjMakhal” found in an older Turla threat group sample, the researcher noted.
“Interestingly, the only known victim of TajMahal appears also to have been targeted by Zebrocy, although unsuccessfully,” Shulmin said. Zebrocy is a tool associated with the APT group Sofacy .
Keeping Quiet
Second to sophistication, TajMahal is remarkable for its stealth, said researchers. Developers of the framework have gone to great lengths to keep it undetected. Chief among those efforts is the use of an entirely new code base.
“Typically, it takes significant resources to create an APT, and that is why developers try to integrate previously used code into any new project – to make the APT-creation process cheaper,” Shulmin said. However, the presence of reused code also makes the APT’s detection and discovery easier, he said. “In this case, the whole APT is created anew, making detection harder.”
Further efforts towards stealth include behavioral detection avoidance. That includes a dearth of “dirty hacks or undocumented features” that might trigger suspicious by endpoint or perimeter defenses. Adversaries behind TajMahal go a step further, and have the ability to randomize service names should a target try to delete an infection, Shulmin said.
“[If you delete the] Frontend file or related registry values, it will reappear after reboot with a new name and another startup type,” according to the Kaspersky report.
“The TajMahal framework is a very interesting and intriguing… The technical sophistication is beyond any doubt, including a huge amount of plugins that implement a number of features that we have not previously [been] seen in any other APT activity, such as having its own indexer, emergency C2s, stealing files from external drives when connected again,” Kaspersky researchers wrote.
Researchers stressed that much is still unclear about TajMahal – such as how targets are getting infected. But one thing is clear. With Kaspersky’s exposure of TajMahal, the attackers are going to have to start over from scratch.