Yesterday, cybersecurity researchers disclosed the existence of a highly sophisticated spyware framework that has been in operation for at least five years but was only recently discovered.
The APT framework, dubbed TajMahal by Kaspersky Lab researchers, is a high-tech, modular-based malware toolkit that not only supports a large number of malicious plugins for distinct espionage operations but also includes never-before-seen and obscure techniques.
The framework was named after the Taj Mahal, one of the Seven Wonders of the World located in India, not because Kaspersky discovered a connection between the malware and India, but because the stolen data was sent to the attackers’ C&C server in an XML file named TajMahal.
TajMahal toolkit was first discovered by security researchers late last year when it was used by hackers to spy on the computers of a diplomatic organization belonging to an unidentified Central Asian nation.
Nonetheless, malware samples analyzed by the researchers indicate that the cyberespionage group responsible for the attack has been active since at least August 2014.
The TajMahal framework is comprised of two main packages named “Tokyo” and “Yokohama” that contain over eighty distinct malicious modules, which, according to researchers, is one of the highest numbers of plugins ever observed for an APT toolkit.
The malware includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, document and cryptography key stealers, and even its file indexer for the victim’s machine, according to the researchers.
Researchers have yet to determine how TajMahal infected its targets in the first place, but they have discovered that once accessed, the first-stage infection Tokyo is downloaded on targeted machines, which then deliver the fully-functional second-stage malware Yokohama.
Yokohama stores malicious modules within its encrypted Virtual File System, allowing them to:
- log keystrokes,
- steal browser cookies and data, including backup for Apple mobile devices,
- record and take screenshots of VoIP calls,
- steal written CD images,
- steal documents sent to the printer queue.
In addition to typical spying capabilities, the malware possesses unique features such as a request to steal a specific file from a previously inserted USB stick. Therefore, the next time the USB is connected to the compromised computer, the file will be stolen.
Given the sophistication of the framework, the researchers believe that additional TajMahal victims remain to be discovered, even though they have only discovered a single victim so far.
“Based on our telemetry, we have detected a single victim to date,” Kaspersky stated.
This theory is supported by the fact that we were unable to determine how one of the files in the VFS was utilized by the malware, leaving the door open to the possibility of undetected variants of the malware.
On the SecureList blog, researchers have published a full set of Indicators of Compromise (IOCs) and a complete list of 80 malicious modules stored in the malware, along with a brief description of what they do.