Researchers at Kaspersky Lab today issued a pair of reports, one revealing a newly discovered sophisticated APT framework and the other detailing the recent operations of the threat actor known as Gaza Cybergang Group1.
Dubbed TajMahal, the APT framework is a fully loaded malicious toolset, replete with backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and a file indexer for the victim’s machine.
“We discovered up to 80 malicious modules stored in its encrypted Virtual File System, one of the highest numbers of plugins we’ve ever seen for an APT toolset,” reads a blog post from Kaspersky’s
Global Research and Analysis Team (GReAT) and its Anti-Malware Research (AMR) team.
Composed of two malware packages — “Tokyo” and “Yokohama” — that share the same code base, the framework was discovered by Kaspersky researchers in autumn 2018, but early samples date as far back as August 2013. Kaspersky believes Tokyo is used as a first-stage infection that subsequently deploys Yokohama as a second-stage attack on victims who are deemed of interest.
Capabilities include stealing documents from the printer queue, gathering data (including the backup list for Apple mobile devices), taking screenshots while recording VoiceIP app audio, stealing written CD images, stealing files previously seen on removable drives once they are reconnected, and stealing cookies from browsers and the RealNetworks streaming media delivery service. The malware also shows persistence, surviving reboots in some instances.
Kaspersky has so far detected TajMahal on a single system that it vaguely described as a diplomatic entity in a Central Asian country, but there are probably additional victims.
“The TajMahal framework is an intriguing discovery that’s of great interest, not least for its high level of technical sophistication, which is beyond any doubt,” the blog post concludes. “The huge amount of plug-ins that implement a number of features is something we have never before seen in any other APT activity.”
Kaspersky’s other report focuses on the least sophisticated subdivision of the Gaza Cybergang — an Arabic-language threat actor comprised of three separate subgroups, each targeting the Middle East-North Africa region with similar objectives.
In 2018 this low-sophistication subdivision, dubbed Group1, launched a new wave of attacks as part of its ongoing “SneakyPastes” phishing operation, which leverages internet paste websites as malware channels as a means to infect victims with a remote access trojan used for cyber espionage purposes. These attacks targeted more than 240 victims across 39 countries, with 110 of the targets based in the Palestinian Territories.
Embassies and political personnel were among Group1’s top targets, along with government entities, educational institutions, journalists and media organizations, activists, health care companies and the banking sector.
According to Kaspersky, the campaign used disposable email providers such as
bit-degree.com, mail4gmail.com and careless-whisper.com as platforms to deliver phishing emails that typically carried politically-themed lures. Email recipients who clicked on the malicious links within the emails would then set in motion an infection chain that used multiple stages designed to avoid detection.
Paste sites like pastebin.com, github.com, mailimg.com, upload.cat, dev-point.com and pomf.cat would host some of these malware stages, ultimately leading up to full implementation of the RAT payload, called Razy, NeD worm or Wonder Botnet. This RAT is capable of a variety of functions, including downloading and executing, compression, encryption, uploading, searching directors, taking screenshots, and listing active processes and installed software.
“The threat actor’s main objective for using this RAT… was obvious from the victim data that was collected,” explains a blog post written by Kaspersky’s GReAT team. “It was to search for specific file extensions such as PDF, DOC, DOCX, XLS, and XLSX, where they are compressed in RAR files per category, stored in temp directories within a folder named by victim ID… encrypted and uploaded to the C2.”
Kaspersky said it collaborated with law enforcement agencies, resulting in the takedown of a “large portion” of the infrastructure used in the campaign.
“While Gaza Cybergang Group1 described in this post looks like a low sophistication group, with limited infrastructure and attack files that can be found in the wild, they are the most relentless in their attacks, with continuous targeting and high malleability,” the blog post concludes. “This has allowed the group to achieve reasonable success against a relatively wide array of victims.”