LTS Secure Warning: Overview Of TajMahal APT Framework
TajMahal is a highly technically & a sophisticated APT framework, which was discovered by Kaspersky Lab in 2018. Developed as a spying framework, which consists of two core packages, Tokyo & Yokohama. It consists of backdoors, orchestrators, loaders, C&C communicators, keyloggers & audio recorders. Till now 80 malicious modules stored in its encrypted Virtual File System have been identified, giving the attacker to perform various kinds of attacks scenario.
Technical Details
The TajMahal framework consists of two core packages, Tokyo & Yokohama. Tokyo is used in the first stage to infect the targeted machine. The package consist of –
- 3 modules
- Backdoor
- Powershell Scripts
- Contacts C&C server
- Stays in target machine as backup
Once done, the fully functional Yokohama package is deployed on the target machine. The package consist of –
- Up to 80 modules
- Encrypted Virtual file system
- Plugin, libraries, configuration files & more
Both the packages share the same code base.
Impact
- Steals cookies and data from browsers.
- Steal documents that are sent to printer queue.
- Log keystrokes
- Steal data from a CD images
- Steal specific files from external storage devices once they become available again
Conclusion
The TajMahal framework is one of the most intriguing discovery in recent time that is of great interest for the InfoSec community. The huge amount of modules that can be used to implement a number of features is something we have never before seen in any other APT toolset.
LTS Secure Next Gen. SIEM uses it integration with OTX to help identify earlier signs of Compromise and initiation of Risk Mitigation Automatons for such an advanced threats on IT infrastructure.