Rare spying platform discovered after 5 years of activity

TajMahal artwork

(Photo from Kaspersky Lab)

SINGAPORE — A sophisticated cyberespionage framework that has around 80 malicious modules and includes a functionality that had never been seen in an advanced persistent threat (APT) was recently discovered by security researchers, five years since it first became active.

Cybersecurity company Kaspersky Lab revealed that its researchers discovered in late 2018 a framework dubbed TajMahal, which has been active since at least 2013.

The company, which recently held its Security Analyst Summit here, described TajMahal as an APT framework designed for extensive cyberespionage. It said malware analysis showed that the platform has been developed and used for at least the last five years, with the earliest sample dated April 2013, and the most recent in August 2018.

The name TajMahal comes from the name of the file used to exfiltrate the stolen data, Kaspersky said.

“The TajMahal framework is a very interesting and intriguing finding. The technical sophistication is beyond doubt and it features functionality we have not seen before in advanced threat actors,” said Alexey Shulmin, the lead malware analyst at the company.

It is also able to grab browser cookies, gather the backup list for Apple mobile devices, steal data from a CD burnt by a victim as well as documents in a printer queue.

The framework can also request the theft of a particular file from a previously seen USB stick, and the file will be stolen the next time the USB is connected to the computer, according to Kaspersky.

Two main packages

Kaspersky believes that the TajMahal framework includes two main packages, self-named as “Tokyo” and “Yokohama.”

Tokyo is smaller and has around three modules. It contains the main backdoor functionality, and periodically connects with the command and control servers. It also leverages PowerShell and remains in the network even after the intrusion has moved to stage two, according to the company.

Stage two is the Yokohama package, which Kaspersky described as a “fully armed spying framework.” It includes a Virtual File System (VFS) with all plugins, open source and proprietary third-party libraries, and configuration files. There are nearly 80 modules in all, which include loaders, orchestrators, command and control communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers.

Kaspersky said the targeted systems it found were infected with both “Tokyo” and “Yokohama,” which suggests that Tokyo was used as first stage infection, deploying the fully-functional Yokohama package on interesting victims, and then left in for backup purposes.

Only one monitored victim so far

So far, Kaspersky had only monitored one victim, a central Asian diplomatic entity which it did not identify and had been infected in 2014.

The magnitude of distribution and infection for TajMahal are currently unknown, but for Shulmin, it is highly unlikely that a huge investment would be undertaken for only one victim.

“This suggests that there are either further victims not yet identified, or additional versions of this malware in the wild, or possibly both,” he said.

“Somehow, it has stayed under the radar for over five years. Whether this is due to relative inactivity or something else is another intriguing question. There are no attribution clues nor any links we can find to known threat groups,” he also said. /atm

Read more...