TajMahal APT Can Steal Data From CDs, Printer Queues
Kaspersky Lab security researchers have discovered a sophisticated advanced persistent threat (APT) framework that provides a full set of spying capabilities.
Dubbed TajMahal, the framework includes backdoors, loaders, orchestrators, command and control (C&C) communicators, audio recorders, keyloggers, screen and webcam grabbers, document and cryptographic key stealers, and a file indexer.
First observed in the autumn of 2018, the tool consists of two packages named ‘Tokyo’ and ‘Yokohama’, and the security researchers found around 80 malicious modules stored in the framework’s encrypted Virtual File System (VFS).
Although it was discovered only recently, the framework has been in use for at least five years, with the first sample having a timestamp of August 2013 (the last one is from April 2018). The earliest known TajMahal samples were seen on a victim’s device in August 2014.
The security researchers observed that both TajMahal packages were found on infected machines, suggesting that Tokyo was employed during the first stage of the infection. Capable of delivering the Yokohama package, Tokyo would also serve for backup purposes.
TajMahal, Kaspersky reveals, can even steal data from a CD burnt by a victim and from the printer queue. Additionally, it can exfiltrate files from previously seen USB sticks when they are connected to the infected computer a second time.
The malware can gather a large amount of data from the victim machines, including the backup list for Apple mobile devices, can take screenshots when recording VoiceIP app audio, and can steal Internet Explorer, Netscape Navigator, Firefox and RealNetworks cookies. It also features an indexer and emergency C&C servers.
The malware also packs a persistence mechanism that allows it to reappear after a reboot if it has been deleted.
Kaspersky said they were able to identify a single victim so far, a diplomatic entity from a country in Central Asia. However, the researchers believe that other victims do exist, although they haven’t been identified yet.
Moreover, they believe that additional versions of the malware exist, but haven’t been detected yet. This hypothesis is based on the fact that they couldn’t determine how one of the files in the VFS was used by the discovered framework samples.
“The TajMahal framework is an intriguing discovery that’s of great interest, not least for its high level of technical sophistication, which is beyond any doubt. The huge amount of plugins that implement a number of features is something we have never before seen in any other APT activity,” Kaspersky concludes.