Hidden for 5 years, complex ‘TajMahal’ spyware discovered
It’s not every day that security researchers discover a new state-sponsored hacking group.
Spyware is inherently intriguing primarily because of the complexity that allows it to carry out its malicious plans, and breaking them down is something that security researchers have to do on a regular basis. However, a unique form of spyware with a phenomenal 80 different components and all kinds of tricks has been discovered by a group of analysts after it. Also, this spyware had been under wraps for more than five years.
A technically sophisticated cyberespionage framework that has been active since at least 2013 has been outed by security researchers.
In a recent talk at the Kaspersky Security Analyst Summit in Singapore, researcher Alexey Shumin shed light on the firm’s groundbreaking discovery of an adaptable Swiss Army spyware framework called TajMahal.
Security researchers still aren’t sure who’s behind the versatile TajMahal spyware—or how they went undetected for so long.
‘TajMahal’ modules and bundles functionality which have never been before seen in an advanced persistent threat, such as the ability to steal information from printer queues and to grab previously seen files from a USB device the next time it reconnects. And that unique spyware toolkit, Kaspersky says, bears none of the fingerprints of any known nation-state hacker group.
The 80 distinct modules include not just the standard ones like keylogging and screen-grabbing but also completely new tools.
TajMahal include two main packages: ‘Tokyo’ and ‘Yokohama’. Tokyo contains the main backdoor functionality, and periodically connects with the command and control servers.
TajMahal is a wonder to behold.
“Such a large set of modules tells us that this APT is extremely complex,” Shulmin wrote in an email interview ahead of his talk, using the industry jargon—short for advanced persistent threat—to refer to a sophisticated hackers who maintain long-term and stealthy access to victim networks. “TajMahal is an extremely rare, technically advanced and sophisticated framework, which includes a number of interesting features we have not previously seen in any other APT activity. Coupled with the fact that this APT has a completely new code base—there are no code similarities with other known APTs and malware—we consider TajMahal to be special and intriguing.”