Malicious ‘TajMahal’ Uncovered

Kaspersky Lab researchers have recently discovered TajMahal – a a technically sophisticated APT framework designed for extensive cyberespionage, that has been developed and used for at least the last five years, with the earliest sample dated April 2013, and the most recent August 2018.

The name TajMahal comes from the name of the file used to exfiltrate the stolen data; and the TajMahal framework is believed to include two main packages, self-named as ‘Tokyo’ and ‘Yokohama’.

Tokyo contains the main backdoor functionality, and periodically connects with the command and control servers; it leverages PowerShell and remains in the network even after the intrusion has moved to stage two.

Stage two is the Yokohama – a fully armed spying framework that includes a Virtual File System (VFS) with all plugins, open source and proprietary third-party libraries, and configuration files.  There are nearly 80 modules in all, and they include loaders, orchestrators, command and control communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers.

TajMahal is also able to grab browser cookies, gather the backup list for Apple mobile devices, steal data from a CD burnt by a victim as well as documents in a printer queue. It can also request the theft of a particular file from a previously seen USB stick, and the file will be stolen the next time the USB is connected to the computer.

So far, only one victim has been observed – a foreign based, central Asian diplomatic entity, infected by 2014. The distribution and infection vectors for TajMahal are currently unknown.

“The TajMahal framework is a very interesting and intriguing finding. The technical sophistication is beyond doubt and it features functionality we have not seen before in advanced threat actors. Somehow, TajMahal has stayed under the radar for over five years. Whether this is due to relative inactivity or something else is another intriguing question.  There are no attribution clues nor any links we can find to known threat groups,” said Alexey Shulmin, lead malware analyst at Kaspersky Lab.