Sophisticated TajMahal APT Framework remained under the radar for 5 years

Cybersecurity experts at Kaspersky Lab uncovered a highly sophisticated spyware framework dubbed TajMahal that was involved in cyberespionage campaign for at least last 5 years.

Cybersecurity researchers at Kaspersky discovered a highly sophisticated spyware framework, dubbed TajMahal, that has been used in cyber operations for at least last 5 years. The TajMahal framework remained undetected until the fall of 2018 when the researchers detected an attack on a diplomatic organization belonging to a Central Asian country.

The TajMahal APT framework is a high-tech modular-based malware toolkit that supports a vast number of malicious plugins, but what makes it outstanding is a series of evasion techniques never seen before.

“More than a mere set of back doors, TajMahal is a high-quality, high-tech spyware framework with a vast number of plugins (our experts have found 80 malicious modules so far), allowing for all kinds of attack scenarios using various tools.” reads the analysis published by TajMahal. “According to our experts, TajMahal has been in operation for the past five years, and the fact that only one victim has been confirmed to date suggests only that others have yet to be identified.”

The TajMahal framework is composed of two main packages, named “Tokyo” and “Yokohama,” the experts observed over 80 distinct malicious modules, that set a record of the numbers of plugins ever seen for an APT attack framework.

Tokyo is the main back door and delivers the second-stage payload, experts noticed that it gains the persistence in the system even after the second stage starts. The Yokohama component is the second-stage attack payload, it creates a virtual file system complete with plugins, third-party libraries, and configuration files. The modular architecture makes it a privileged attack tool for several cyber espionage campaigns.

It implements several features, including stealing cookies, intercepting documents from the print queue, collecting data about the victim (including a list of backup copies of their iOS device), recording and taking screenshots of VoIP calls, stealing optical disc images made by the victim, indexing files, including those on external drives, and potentially stealing specific files when the drive is detected again.

The mystery behind this story is that Kaspersky Lab found only one TajMahal victim and this is very strange for a so sophisticated framework. Experts believe that the number of victims is greater and that many of the infections have yet to be discovered.

“The technical complexity of TajMahal makes it a very worrying discovery, and the number of victims identified thus far is likely to increase.” concludes Kaspersky.”So far we have detected a single victim based on our telemetry,” concludes Kaspersky.

“The TajMahal framework is an intriguing discovery that’s of great interest, not least for its high level of technical sophistication, which is beyond any doubt. The huge amount of plugins that implement a number of features is something we have never before seen in any other APT activity.”

“The question is, why go to all that trouble for just one victim?”

“This theory is reinforced by the fact that we couldn’t see how one of the files in the VFS was used by the malware, opening the door to the possibility of additional versions of the malware that have yet to be detected.”

Additional technical details, including Indicators of Compromise, are available in the blog post published on the SecureList blog

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – TajMahal framework, cyberespionage)

[adrotate banner=”5″]

[adrotate banner=”13″]