Security Market Segment LS
Thursday, 11 April 2019 08:56

TajMahal: APT with a great name, but just one victim

By
TajMahal: APT with a great name, but just one victim Image by Dave Parkinson from Pixabay

A sophisticated nation-state framework that was discovered by Kaspersky Lab in the western autumn of 2018 has only one known victim to date — a diplomatic entity in Central Asia — leading to the suspicion that it may be an American-backed threat actor that Kaspersky Lab wants to avoid profiling in detail.

Named TajMahal, the spying framework has two packages named Tokyo and Yokohama, Kaspersky Lab said, adding that it included backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its own file indexer for the victim’s machine.

Available details were also presented at the company's Security Analyst Summit which is taking place in Singapore this week. As iTWire pointed out prior to the summit, Kaspersky Lab has a good reason to avoid the provision of details about American APTs. 

The company said in a short blog post that TajMahal had been developed and used for at least five years.

"The first known ‘legit’ sample timestamp is from August 2013, and the last one is from April 2018. The first confirmed date when TajMahal samples were seen on a victim’s machine is August 2014," Kaspersky Lab said.

Both the packages, Tokyo and Yokohama, shared the same code base, with indications that the first-named was the initial infection vector, while Yokohama, which had more functionality, was deployed and then left on a victim's infrastructure for back-up.

TajMahal was said to be capable of:

  • Stealing documents sent to the printer queue.
  • Gathering victim recon data that includes the back-up list for Apple mobile devices.
  • Taking screenshots when recording VoiceIP app audio.
  • Stealing written CD images.
  • Stealing files previously seen on removable drives once they were available again.
  • Stealing Internet Explorer, Netscape Navigator, FireFox and RealNetworks cookies.

If deleted from Frontend file or related registry values, it would reappear after reboot with a new name and start-up type, indicating that it was infecting the boot sector of a system.

"The question is, why go to all that trouble for just one victim?" Kaspersky Lab questioned. "A likely hypothesis is that there are other victims we haven’t found yet.

"This theory is reinforced by the fact that we couldn’t see how one of the files in the VFS was used by the malware, opening the door to the possibility of additional versions of the malware that have yet to be detected."

The brief blog post indicates that Kaspersky Lab wanted to reveal the APT at its summit in order to make a splash.

Its other big research meant for the summit, the ShadowHammer nation-state supply chain APT, was leaked to a freelance journalist earlier this month.

LEARN HOW TO BE A SUCCESSFUL MVNO

Did you know: 1 in 10 mobile services in Australia use an MVNO, as more consumers are turning away from the big 3 providers?

The Australian mobile landscape is changing, and you can take advantage of it.

Any business can grow its brand (and revenue) by adding mobile services to their product range.

From telcos to supermarkets, see who’s found success and learn how they did it in the free report ‘Rise of the MVNOs’.

This free report shows you how to become a successful MVNO:

· Track recent MVNO market trends
· See who’s found success with mobile
· Find out the secret to how they did it
· Learn how to launch your own MVNO service

DOWNLOAD NOW!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments