Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

TajMahal APT Can Steal Data From CDs, Printer Queues

Kaspersky Lab security researchers have discovered a sophisticated advanced persistent threat (APT) framework that provides a full set of spying capabilities.

Kaspersky Lab security researchers have discovered a sophisticated advanced persistent threat (APT) framework that provides a full set of spying capabilities.

Dubbed TajMahal, the framework includes backdoors, loaders, orchestrators, command and control (C&C) communicators, audio recorders, keyloggers, screen and webcam grabbers, document and cryptographic key stealers, and a file indexer.

First observed in the autumn of 2018, the tool consists of two packages named ‘Tokyo’ and ‘Yokohama’, and the security researchers found around 80 malicious modules stored in the framework’s encrypted Virtual File System (VFS).

Although it was discovered only recently, the framework has been in use for at least five years, with the first sample having a timestamp of August 2013 (the last one is from April 2018). The earliest known TajMahal samples were seen on a victim’s device in August 2014.

The security researchers observed that both TajMahal packages were found on infected machines, suggesting that Tokyo was employed during the first stage of the infection. Capable of delivering the Yokohama package, Tokyo would also serve for backup purposes.

TajMahal, Kaspersky reveals, can even steal data from a CD burnt by a victim and from the printer queue. Additionally, it can exfiltrate files from previously seen USB sticks when they are connected to the infected computer a second time.

The malware can gather a large amount of data from the victim machines, including the backup list for Apple mobile devices, can take screenshots when recording VoiceIP app audio, and can steal Internet Explorer, Netscape Navigator, Firefox and RealNetworks cookies. It also features an indexer and emergency C&C servers.

The malware also packs a persistence mechanism that allows it to reappear after a reboot if it has been deleted.

Advertisement. Scroll to continue reading.

Kaspersky said they were able to identify a single victim so far, a diplomatic entity from a country in Central Asia. However, the researchers believe that other victims do exist, although they haven’t been identified yet.

Moreover, they believe that additional versions of the malware exist, but haven’t been detected yet. This hypothesis is based on the fact that they couldn’t determine how one of the files in the VFS was used by the discovered framework samples.

“The TajMahal framework is an intriguing discovery that’s of great interest, not least for its high level of technical sophistication, which is beyond any doubt. The huge amount of plugins that implement a number of features is something we have never before seen in any other APT activity,” Kaspersky concludes.

Related: New Version of Flame Malware Platform Discovered

Related: Duqu Remained Active After Operations Were Exposed in 2011

Related: New Module Suggests Fourth Team Involved in Stuxnet Development

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Raffi Joukhadarian has been named Managing Director and Chief Financial Officer at MorganFranklin Cyber.

Data security firm Rubrik has appointed Kavitha Mariappan as its Chief Transformation Officer.

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.