New TajMahal Cyberespionage Kit Includes 80 Malicious Modules


TajMahal, a previously unknown cyberespionage platform featuring roughly 80 different malicious modules and active since at least 2013, was discovered by Kaspersky Lab’s research team during late 2018.

Even though it was active for the past six years, “with the earliest sample dated April 2013, and the most recent August 2018,” the advanced persistent threat (APT) framework is not yet connected to any hacking groups.

As further found by Kaspersky Lab, TajMahal is a multi-stage attack framework which comes with two malicious packages, self-named as Tokyo and Yokohama, dropped one after the other on the target’s computer.

The smaller Tokyo package deployed during the first infection stage comes with backdoor functionality and is used to drop the fully-featured Yokohama spying package which features around “80 modules in all, and they include loaders, orchestrators, command and control communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers.”

The TajMahal APT framework

All the systems where the researchers found the TajMahal framework in the wild were infected by both Tokyo and Yokohama, which hints at both of them remaining functional on the compromised machines, inferring “that Tokyo was used as first stage infection, deploying the fully-functional Yokohama package on interesting victims, and then left in for backup purposes.”

Once Yokohama gets dropped on a victim’s computer, it is used to hunt down interesting documents and media files, steal cookies and backups, swipe files from the printer queue, burned CDs, and from USB storage devices.

All this collected data is subsequently sent to a command-and-control server controlled by the hacking group behind the APT framework in the form of an XML file named TajMahal.

Because a central Asian diplomatic entity is the only confirmed TajMahal victim by the researchers, with the attack taking place back in 2014, despite the framework being used for at least five years, Kaspersky Lab’ theorized that there are other targets which had their computing systems compromised using this cyberespionage platform.

Some of the capabilities discovered by Kaspersky Lab’s researchers while examining the TajMahal framework:

  • Capable of stealing documents sent to the printer queue.
  • Data gathered for victim recon includes the backup list for Apple mobile devices.
  • Takes screenshots when recording VoiceIP app audio.
  • Steals written CD images.
  • Capable of stealing files previously seen on removable drives once they are available again.
  • Steals Internet Explorer, Netscape Navigator, FireFox and RealNetworks cookies.
  • If deleted from Frontend file or related registry values, it will reappear after reboot with a new name and startup type.

tajmahal-apt-malwareKaspersky Lab lead malware analyst  Alexey Shulmin said, “The TajMahal framework is a very interesting and intriguing finding. The technical sophistication is beyond doubt and it features functionality we have not seen before in advanced threat actors. A number of questions remain. For example, it seems highly unlikely that such a huge investment would be undertaken for only one victim.”

Also, “This suggests that there are either further victims not yet identified, or additional versions of this malware in the wild, or possibly both. The distribution and infection vectors for the threat also remain unknown. Somehow, it has stayed under the radar for over five years. Whether this is due to relative inactivity or something else is another intriguing question. There are no attribution clues nor any links we can find to known threat groups.”

This entry was posted in CryptoJack, Ransomware and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s