Shulou(Shulou.com)05/31 Report--

APT framework TajMahal how to use, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

Overview

TajMahal' is a previously unknown and technologically complex APT framework discovered by Kaspersky Lab in the fall of 2018. This complete espionage framework consists of two packages called "Tokyo" and "Yokohama". It includes backdoors, loaders, coordinators, C2 communicators, tape recorders, keyloggers, screen and webcam crawlers, document and encryption key theft programs, and even the victim's own file indexer. We found that up to 80 malicious modules were stored in its encrypted virtual file system, which is one of the largest number of plug-ins in the APT toolset we have ever seen.

To highlight its functionality, TajMahal can steal data from victims and CD burned in printer queues. It can also request that specific files be stolen from the previously seen USB memory stick; the next time USB connects to the computer, the files will be stolen.

TajMahal has been developed and used for at least the past five years. The first known "legal" sample timestamp began in August 2013, and the last one began in April 2018. The first confirmation date for seeing TajMahal samples on the victim's machine was August 2014.

Technical details

Kaspersky found two different types of TajMahal bags, calling himself Tokyo and Yokohama. The victim system found by Kaspersky Lab was infected by two software packages. This shows that Tokyo is used as the first stage of infection, and Tokyo has a fully functional Yokohama in the victim system, as shown in the following figure:

Based on the modules on these victims' machines, the following interesting features are identified:

Can steal documents sent to the printer queue.

The data collected for victim detection includes a backup list of Apple mobile devices.

Take a screenshot while recording VoiceIP application audio.

Stole the CD image.

The ability to steal files previously seen on a removable drive when it is available again.

Stealing Internet Explorer,Netscape Navigator,FireFox and RealNetworks cookie.

If removed from the front-end file or related registry values, it will be redisplayed with the new name and startup type after reboot.

Attribution:

Conjecture 1: Russia

Kaspersky has so far disclosed only one victim, a diplomatic service in Central Asia, and in previous reports, APT28 has also begun attacks against Central Asia.

Conjecture 2: United States:

As can be seen from the map, Central Asia is adjacent to Russia and China, and the region has always been the target of the United States.

And the framework Kabbah is called a complex modular framework, which is compiled as early as 13 years according to the timestamp and first discovered by Kabbah 18 years ago, while APT attacks in the United States are usually covert and modular and not easy to be detected. For example, Flame is the first complex modular Trojan horse to be discovered.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.