Facebook Twitter Linkedin Youtube RSS
Eye of Dubai
 
Thursday, June 20, 2019
Sign up for newsletter:
Advertise with us
℃ Dubai   
Close
| Register | Login
Username
Password
Image Verification
Refresh
Close
|
Technology & IT NEWS
Technology & IT is sponsored by:
Posted on: Thursday 11 April, 2019 5:47 pm
TajMahal: rare spying platform with 80 malicious modules, unique functionality and no known links to current threat actors

Kaspersky Lab researchers have uncovered a technically sophisticated cyberespionage framework that has been active since at least 2013 and appears to be unconnected to any known threat actors. The framework, which researchers have named TajMahal, features around 80 malicious modules and includes functionality never before seen in an advanced persistent threat, such as the ability to steal information from printer queues and to grab previously seen files from a USB device the next time it reconnects. Kaspersky Lab has so far seen only one victim, a foreign-based central Asian embassy, but it is likely that others have been affected.

 

Kaspersky Lab researchers discovered TajMahal in late 2018. It is a technically sophisticated APT framework designed for extensive cyberespionage. Malware analysis shows that the platform has been developed and used for at least the last five years, with the earliest sample dated April 2013, and the most recent August 2018. The name TajMahal comes from the name of the file used to exfiltrate the stolen data.

 

The TajMahal framework is believed to include two main packages, self-named as ‘Tokyo’ and ‘Yokohama’.

Tokyo is the smaller of the two, with around three modules. It contains the main backdoor functionality, and periodically connects with the command and control servers. Tokyo leverages PowerShell and remains in the network even after the intrusion has moved to stage two.

Stage two is the Yokohama package: a fully armed spying framework. Yokohama includes a Virtual File System (VFS) with all plugins, open source and proprietary third-party libraries, and configuration files.  There are nearly 80 modules in all, and they include loaders, orchestrators, command and control communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers.

TajMahal is also able to grab browser cookies, gather the backup list for Apple mobile devices, steal data from a CD burnt by a victim as well as documents in a printer queue. It can also request the theft of a particular file from a previously seen USB stick, and the file will be stolen the next time the USB is connected to the computer.

The targeted systems found by Kaspersky Lab were infected with both Tokyo and Yokohama. This suggests that Tokyo was used as first stage infection, deploying the fully-functional Yokohama package on interesting victims, and then left in for backup purposes.

 

So far, only one victim has been observed - a foreign based, central Asian diplomatic entity, infected by 2014. The distribution and infection vectors for TajMahal are currently unknown.

The TajMahal framework is a very interesting and intriguing finding. The technical sophistication is beyond doubt and it features functionality we have not seen before in advanced threat actors. A number of questions remain. For example, it seems highly unlikely that such a huge investment would be undertaken for only one victim. This suggests that there are either further victims not yet identified, or additional versions of this malware in the wild, or possibly both. The distribution and infection vectors for the threat also remain unknown.  Somehow, it has stayed under the radar for over five years. Whether this is due to relative inactivity or something else is another intriguing question.  There are no attribution clues nor any links we can find to known threat groups,” said Alexey Shulmin, lead malware analyst at Kaspersky Lab.

All Kaspersky Lab products successfully detect and block this threat.

 

In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky Lab researchers recommend implementing the following measures:

 

  • Use advanced security tools like Kaspersky Anti Targeted Attack Platform (KATA) and make sure your security team has access to the most recent cyber threat intelligence.
  • Make sure you update all software used in your organization on a regular basis, particularly whenever a new security patch is released. Security products with Vulnerability Assessment and Patch Management capabilities may help to automate these processes.
  • Choose a proven security solution such as Kaspersky Endpoint Security that is equipped with behavior-based detection capabilities for effective protection against known and unknown threats, including exploits.
  • Ensure your staff understand basic cybersecurity hygiene, as many targeted attacks start with phishing or other social engineering technique.

Print this Article
comments powered by Disqus
Eyeofdubai Autos
Jobs
Realestate
Book Hotels
Our Sponsors
  • Mobily
  • Emirates Airline
  • Saudi Arabian General Investment Authority
  • Alsorayai Group
  • Emaar
  • HP
  • Council of Saudi Chambers
  • Lomar
  • SAUDIA AIRLINES
  • Emirates NBD
  • du
  • Dubai Chamber
  • Dubai Tourism
  • Microsoft
  • Riyadh Chamber of Commerce
Eye Of Dubai
Islamic Date Converter Close
Gregorian Calender
Month Day Year
Hijri/Islamic Calender
Month Day Year
Day of the Week:

World Time Close
Unit Converter Close
Kindly select the desired Values & Units:
Convert
 
Forgot Your Password Close
We will send an email to your inbox to clear things up
Username or Email
* Mandatory fields / Error alert
Submit
Track Shipments Online Close
Enter Aramex AWB number
Enter DHL AWB number
Enter Fedex AWB number
Enter TNT AWB number
Enter UPS AWB number
Daily Newspaper Close
www.emaratalyoum.com/
www.albayan.ae/
www.khaleejtimes.com/
www.alittihad.ae/
www.gulfnews.com
www.thenational.ae/
www.alroeya.ae/
www.emirates247.com/
www.alkhaleej.ae/
www.gulftoday.ae/