Delaware, USA – April 11, 2019 – TajMahal cyberespionage framework was unnoticed by experts for five years. In a recently published report, KasperskyLab’s experts disclosed that the earliest attack using this malicious tool dates back to 2014, and the most recent version of TajMahal was compiled last year. This is probably the most sophisticated and multifunctional malware discovered in recent years. The campaign victims were located in Central Asia and worked at a diplomatic entity. Despite the fact that the researchers analyzed only a few successful infections, they are assumed that the unnamed APT group used TajMahal in other campaigns. Malicious software consists of two parts, the first, which is called Tokyo, after penetrating the system uses PowerShell to install a backdoor and download the second part of the tool – Yokohama. Yokohama includes most of the 80 attack modules used by threat actor. In addition to standard features such as keylogging and infostealing, the malware also has many “exotic” features. The сyberespionage framework is capable of recording VoiceIP app audio, gathering data from the backup list for Apple phones and reappearing on the attacked machine after a deletion with a new name.
KasperskyLab’s experts have not yet been defined how the initial compromise occurs, as well as an APT group behind this sophisticated tool. The fact that attackers managed to hide their malware from the attention of researchers for so many years testifies to the group’s skills and the cyberespionage framework use only in highly targeted attacks. To uncover attacks of advanced hacking groups by indirect evidence, you can use your SIEM and the APT Framework rule pack: https://my.socprime.com/en/integrations/apt-framework-arcsight