Security researchers at Kaspersky Lab have uncovered a new and sophisticated advanced persistent threat framework that was likely developed by a nation-state.
Dubbed “TajMahal,” the APT framework contains 80 malicious modules that can be used to attack and steal data from an intended victim.
Described by Kaspersky researchers today as one of the most complex and largest APT frameworks discovered to date, the modules read like a list of every form of hacking tool available. They include backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and a file indexer for the victim’s machine.
TajMahal is believed to date back to 2013. The researchers identified only one victim so far, a “diplomatic entity in Central Asia” who was targeted in 2014. Kaspersky discovered the APT only in the fall of 2018.
As with its long list of functions, a TajMahal attack is capable of stealing various types of data. The list of includes stealing documents sent to a printer queue, gathering victim recon data, taking screenshots when recording VoiceIP app audio, stealing written CD images, stealing files from removable drives and stealing cookies from web browsers.
“The TajMahal framework is an intriguing discovery that’s of great interest, not least for its high level of technical sophistication, which is beyond any doubt,” the researchers said. “The huge amount of plugins that implement a number of features is something we have never before seen in any other APT activity.”
Only one victim has been identified to date, but the researchers added that “a likely hypothesis is that there are other victims we haven’t found yet.”
Kaspersky did not suggest who may have been behind the development of TajMahal, but some sites are suggesting that the reason they haven’t pointed the finger is political sensitivities. In this case, the suggestion is the developer of TajMahal was a body tied to the U.S. government, likely the National Security Agency.
Matthew Gardiner, a cybersecurity expert at email security and management firm Mimecast Ltd., told SiliconANGLE that the industrialization of cybercrime is a fact of life.
“Technical specialists, nation-state actors, cybercriminals, botnet masters and many other members of the malicious supply-chain continue to work their turf and collaborate for mutual benefit, and this newly discovered RAT or ATP framework is just more evidence of this,” Gardiner said. ‘While at first glance it appears this exploit has been focused on enabling nation-state attacks for cyberespionage, we should assume that this tool will eventually be used and mutated by money-oriented cybercriminals for their broader purposes.”