Decoding a 'New' Elite Cyber Espionage Team

Stealthy and well-heeled hacking group went undetected for five years and wields a massive attack framework of some 80 different modules.

It's an expansive cyber espionage operation that canvasses a victim's network with backdoors, loaders, keyloggers, screen and webcam grabbers, and audio recorders, and it even siphons data from printer queues, burned CDs, and Apple iOS smartphone backups.

The so-called TajMahal attack framework operated invisibly for five years until it was uncloaked last fall by researchers at Kaspersky Lab who found it embedded deep in the network of a diplomatic organization in Central Asia, where it had been spying and stealing documents since 2014. TajMahal comes with a whopping 80 different attack modules, including an unusual and rare one that lets the attacker steal specific files from a USB stick when the device is inserted into a computer.

Given the breadth of TajMahal's attack arsenal, there are likely other victims that have not yet been identified. "They're possibly using this framework elsewhere, but we're not [able to see] in those organizations. It would be highly unusual for a malware set that looks like this to be for" a single use, said Kurt Baumgartner, principal security researcher with Kaspersky Lab, in an interview last week at the Kaspersky Security Analyst Summit in Singapore, where the company shared its findings on TajMahal.

The researchers found no ties between TajMahal to existing nation-state threat groups, nor any similarities in its code base to others'. It appears to be a "new," previously unknown cyber espionage group that's especially advanced and well resourced and that expects to be well entrenched in a victim's network for long periods of time, according to Baumgartner. "They actually exfiltrate an entire mobile phone backup — that's something that takes a lot of time."

While TajMahal's mobile-theft capability is rare, it's also reminiscent of the epic Red October APT cyber espionage campaign that Kaspersky Lab first unearthed in 2013. "Red October built out modules that were purpose-built for exfiltrating mobile data," Baumgartner said.

Red October stole terabytes of information from computers, smartphones, routers, and VoIP phones of government, diplomatic, and scientific research organizations spanning multiple regions worldwide, and at the time was considered one of the most sophisticated cyber espionage operations in the world.

Baumgartner said TajMahal, with its massive number of plug-in modules, falls into the category of a well-resourced APT like Flame and Duqu, two other infamous cyber espionage attack groups. Another interesting element of TajMahal is its virtual file system (VFS), an indexed and encrypted file system it uses for its attack tools, he said.

It's likely the attackers also have changed IP addresses to evade detection, according to Alexey Shulman, lead malware analyst at Kaspersky Lab. "They are probably on other machines" that haven't yet been discovered, he said.

Tokyo & Yokohama

TajMahal, which was named after the file the attackers use to exfiltrate data, is made up of two main components: Tokyo and Yokohama. Tokyo helps launch the first stage of the attack, and includes three modules, including the main backdoor and command-and-control communication, using PowerShell to remain hidden in the network.

Yokohama is the second stage of the attack, the full-blown spying operation, and uses the attackers' VFS with the 80 modules, which also include command-and-control communicators, cryptography key stealers, and browser cookie stealers that target Internet Explorer, Firefox, and Netscape Navigator, for example.

Still unknown, however, is the initial attack or infection vector for TajMahal.

While Kaspersky researchers declined to speculate on which nation-state is behind TajMahal, other experts say its well-resourced and comprehensive attack arsenal indicates that it's one of the most advanced APT groups in operation. "The modular nature of the code, coupled with advanced persistence features to engage in proximity attacks, makes it truly formidable," says Tom Kellermann, chief cybersecurity officer at Carbon Black. "This code is being selectively deployed across the [Central Asia] region and should serve as a harbinger of APTs to come."

TajMahal's capabilities demonstrate how cyberattacks can be executed "in the physical world" as well, Kellermann says, by pilfering data from printer queues, burned CDs, and USBs, and turning on computer microphones and cameras from afar.

While protecting networks from determined nation-states and other advanced attackers is never foolproof, the usual best practices can minimize exposure. Kaspersky Lab recommends schooling users on phishing and social engineering scams, keeping software updated, and employing advanced endpoint security tools.

The researchers also released indicators of compromise and other technical details for TajMahal.

Related Content:

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading: