[ad_1]
This is not all day when security researchers discover a new state-sponsored hacking group. Even rarer is the emergence of spyware-based software with 80 separate components that can do strange and unique tricks – and have kept them secret for more than five years.
At a summit conference of security badysts Kaspersky in Singapore on Wednesday, Kaspersky security researcher Alexey Shulmin revealed that the security company had discovered a new spyware framework, an adaptable modular software with a range of plugins for separate spying tasks, calling TajMahal. . According to Shulmin, the 80 modules of the TajMahal structure include not only the clbadic features of key-recording and spyware screen capture, but also unseen and obscure tricks. It can intercept documents in a print queue and keep track of "files of interest", by automatically stealing them if a USB drive is inserted into the infected machine. And this unique spyware toolbox, says Kaspersky, carries no fingerprints from known hacker groups.
"Such a large set of modules tells us that this APT is extremely complex," wrote Shulmin in an email interview preceding his intervention, using industry jargon – short for "advanced persistent threat" to denote a sophisticated hacker who keeps a long-term strategy. and stealthy access to victim networks. "TajMahal is an extremely rare, technically sophisticated and sophisticated framework that includes a number of exciting features that we have never seen before in any other APT activity." In addition, this APT has a codebase totally new, there is no similarity of code, with other APTs and known malicious programs, we consider TajMahal as special and intriguing. "
It is remarkable how long TajMahal remained undetected.
Kaspersky said it detected for the first time last fall, last fall, the spyware framework TajMahal, on the network of a single victim: the Embbady of a country of Central Asia which Kaspersky refuses to name nationality and location. But given the sophistication of the software, Shulmin claims that TajMahal was probably deployed elsewhere. "It seems highly unlikely that such an investment would be made to a single victim," he writes. "This suggests that there are other unidentified victims, or additional versions of this malware in nature, or maybe both."
These initial findings could indicate a state-sponsored intelligence gathering operation, very cautious and unobtrusive, said Jake Williams, a former member of the National Security Agency's elite hacking group Tailored Access Operations. "Its scalability requires a large team of developers," says Williams. He also points out that the ability to avoid detection and the only known victim suggests extreme care in targeting, stealth and security of operations. "There are all sorts of things here that scream at opsec and very minute tasks."
Shulmin indicates that Kaspersky has not yet been able to connect TajMahal, so named for a file used by the spyware to transfer stolen data from the victim's machine to known hacker groups, with the usual methods of matching code, shared infrastructure, or familiar techniques. Its target in Central Asia also does not provide easy clues to the identity of hackers, given the vague nature of this description and countries with sophisticated hacker teams with interests in Asia. Central, including China, Iran, Russia and the United States. Kaspersky also did not determine how the hackers behind TajMahal had initial access to a network of victims. But they note that the group is installing a first backdoor program on machines, which hackers have called Tokyo. This backdoor uses the common PowerShell hacking framework to allow hackers to spread their tradeoff, connect to a command and control server and install TajMahal's much more multifunctional spyware, tagged by hackers as being Yokohama, with its dozens of separate modules. .
The versatility of Yokohama in the style of the Swiss army is what has most marked the researchers of Kaspersky. Although it incorporates many of the usual powerful powers of state-sponsored spies, it also has some special features: when a USB drive is plugged into an infected PC, it scans the contents and downloads one. list in the command console. -control server, where the spies behind TajMahal can decide which files they want to exfilter. If the USB drive has been removed by the time the hackers have decided, TajMahal can automatically monitor the USB port of the same drive to extract this file and download it at its next appearance. The spyware has other modules that allow it to indicate the files burned on a CD or placed in a printer queue.
Although none of these features are particularly vivid, they signal a cautious opponent to bother to determine which files among the vast and messy contents of a victim's computer might be worth it to be stolen. "You could not print information, save it to a USB drive or burn it to a CD if that information was not important in one way or another "says Shulmin.
Given its sophistication and eclectic features, it is remarkable how long TajMahal has remained undetected. According to Kaspersky, the victim of the Central Asian Embbady had been compromised since at least 2014, but the compilation times of various elements of TajMahal – the timestamps indicating the time when part of it was programmed – indicate that it was active before and long after. date. Some modules date back to 2013, while others date back to 2018.
"In one way or another, he stayed under the radar for more than five years, whether it was due to relative inactivity or something else is another intriguing question," writes Shulmin. "It reminds the cybersecurity community that we never really have complete visibility of everything happening in cyberspace."
More great cable stories
Source link