How to use APT framework TajMahal

Overview

‘TajMahal’ is a previously unknown and technically complex APT framework discovered by Kaspersky Lab in the fall of 2018. This complete spy framework consists of two packages named "Tokyo" and "Yokohama". It includes backdoors, loaders, orchestrators, C2 communicators, voice recorders, keyloggers, screen and webcam grabbers, document and encryption key stealers, and even the victim machine's own file indexer. We found up to 80 malicious modules stored in its encrypted virtual file system, which is one of the highest number of plugins we have seen in an APT tool set.

To highlight its capabilities, TajMahal is able to steal data from victims as well as from burned CDs in the printer queue. It can also request to steal specific files from a previously seen USB stick; the next time the USB is connected to the computer, the files will be stolen.

TajMahal has been developed and used for at least the past five years. The first known "legitimate" sample timestamp is from August 2013, and the last is from April 2018. The first confirmed date of seeing a TajMahal sample on a victim's machine is August 2014.

Technical Details

Kaspersky discovered two different types of TajMahal packages, claiming to be Tokyo and Yokohama. Kaspersky Lab discovered that victim systems were infected by two software packages. This suggests that Tokyo was used as a first-stage infection, with Tokyo deploying a fully functional Yokohama on the victim's system, with the framework shown below:

According to these victims The module on the attacker's machine identified the following interesting capabilities:

• The ability to steal documents sent to the printer queue.

• The data collected for victim reconnaissance includes backup lists of Apple mobile devices.

• Take screenshots while recording VoiceIP application audio.

• Steal and write the CD image.

• Ability to steal files previously seen on removable drives when they become available again.

• Steal Internet Explorer, Netscape Navigator, FireFox and RealNetworks cookies.

• If removed from the frontend file or related registry value, it will reappear after a reboot with a new name and launch type.

Affiliation:

Conjecture 1: Russia

Kaspersky has only disclosed one victim so far, a diplomatic department in Central Asia , in previous reports, APT28 also began to carry out attacks against Central Asia.

Conjecture 2: United States:

As can be seen from the map, Central Asia is adjacent to Russia and China. This region has always been the target of the United States’ efforts to win over

And the framework Kabba is called a complex modular framework. According to the timestamp, it was compiled as early as 13 years ago. Kabba was first discovered in 18 years, and the American APT Attacks are usually stealthy and modular, making them difficult to detect. Flame was the first complex modular Trojan to be discovered

The above is the detailed content of How to use APT framework TajMahal. For more information, please follow other related articles on the PHP Chinese website!