Security Market Segment LS
Thursday, 11 April 2019 08:56

TajMahal: APT with a great name, but just one victim

TajMahal: APT with a great name, but just one victim Image by Dave Parkinson from Pixabay

A sophisticated nation-state framework that was discovered by Kaspersky Lab in the western autumn of 2018 has only one known victim to date — a diplomatic entity in Central Asia — leading to the suspicion that it may be an American-backed threat actor that Kaspersky Lab wants to avoid profiling in detail.

Named TajMahal, the spying framework has two packages named Tokyo and Yokohama, Kaspersky Lab said, adding that it included backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its own file indexer for the victim’s machine.

Available details were also presented at the company's Security Analyst Summit which is taking place in Singapore this week. As iTWire pointed out prior to the summit, Kaspersky Lab has a good reason to avoid the provision of details about American APTs. 

The company said in a short blog post that TajMahal had been developed and used for at least five years.

"The first known ‘legit’ sample timestamp is from August 2013, and the last one is from April 2018. The first confirmed date when TajMahal samples were seen on a victim’s machine is August 2014," Kaspersky Lab said.

Both the packages, Tokyo and Yokohama, shared the same code base, with indications that the first-named was the initial infection vector, while Yokohama, which had more functionality, was deployed and then left on a victim's infrastructure for back-up.

TajMahal was said to be capable of:

  • Stealing documents sent to the printer queue.
  • Gathering victim recon data that includes the back-up list for Apple mobile devices.
  • Taking screenshots when recording VoiceIP app audio.
  • Stealing written CD images.
  • Stealing files previously seen on removable drives once they were available again.
  • Stealing Internet Explorer, Netscape Navigator, FireFox and RealNetworks cookies.

If deleted from Frontend file or related registry values, it would reappear after reboot with a new name and start-up type, indicating that it was infecting the boot sector of a system.

"The question is, why go to all that trouble for just one victim?" Kaspersky Lab questioned. "A likely hypothesis is that there are other victims we haven’t found yet.

"This theory is reinforced by the fact that we couldn’t see how one of the files in the VFS was used by the malware, opening the door to the possibility of additional versions of the malware that have yet to be detected."

The brief blog post indicates that Kaspersky Lab wanted to reveal the APT at its summit in order to make a splash.

Its other big research meant for the summit, the ShadowHammer nation-state supply chain APT, was leaked to a freelance journalist earlier this month.


Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has high potential to be exposed to risk.

It only takes one awry email to expose an accounts payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 steps to improve your Business Cyber Security’ you will learn some simple steps you should be taking to prevent devastating malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you will learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments