New Cyber Espionage Campaign Features Never-Before-Seen Malware Tools

Attackers are always looking to get the upper hand on their targets. Many of the methods and tactics attackers use are tried-and-true. But sometimes we see things we haven’t seen before.

An example of this was highlighted in a recent article on ZDNet. Threat researchers recently discovered that a new form of malware is being deployed as part of a highly-stealthy cyber espionage campaign.

“TajMahal,” which is named after the file it uses to exfiltrate stolen data, has a number of new capabilities including: stealing documents sent to a printer queue; the ability to steal files previously seen on removable drives as soon as they’re available again; the availability to steal data burnt onto a CD by a victim; and the ability to take screenshots when recording audio from VoiceIP applications.

This malware provides cybercriminals with a “full blown spying framework,” allowing them to issue commands directly to the backdoor of infected systems. This includes being able to issue system commands, take screenshots and use keylogging to steal usernames and passwords. It can even open and exfiltrate documents using its file indexer.

Researchers said TajMahal was able to hide under the radar for so long because it has a completely new code base, with no similarities to known APTs or malware and by employing an automatic update mechanism that's regularly used to deploy new samples as needed.

Sophisticated malware detection capabilities needed

TajMahal again shows that the industrialization of cybercrime is a fact of life. Technical specialists, nation state actors, cybercriminals, botnet masters and many other members of the malicious supply-chain continue to work their turf and collaborate for mutual benefit. And this newly discovered RAT or ATP framework is just more evidence of this.  

While at first glance it appears that this exploit has been focused on enabling nation state attacks for cyber espionage, we should assume that this tool will eventually be used and mutated by money-oriented cybercriminals for their broader purposes. This is generally what happens with sophisticated new attack tools: usage spreads out over time.

While initial reports are unclear about the distribution method of TajMahal, given that the Tokyo portion of it is a dropper, the likelihood that it is or will be delivered via email is very high. This is why email security systems with sophisticated malware detection capabilities are a must.

Email security systems in conjunction with endpoint protection, patching, network monitoring, web security and other security controls are an important part of a multi-layered security strategy.

Learn more here.