• United States




New TajMahal APT discovered by Kaspersky has one known victim, likely others

Apr 10, 20194 mins

Active since August 2014 with 80 modules able to capture a variety of information but with only one known victim, the TajMahal APT seems too advanced not to be used just once.

security threats and vulnerabilities
Credit: Thinkstock

A previously unknown and technically sophisticated advanced persistent threat (APT) framework that has been in operation for five years has been discovered. Revealed by Kaspersky Lab and dubbed Project TajMahal, the newly discovered APT framework contains up to 80 malicious modules stored in its encrypted virtual file system (VFS) including backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and its own file indexer.

“The huge amount of plugins that implement a number of features is something we have never before seen in any other APT activity,” the company said in its analysis of the malware.

What do we know about TajMahal?

Whether this was developed by a previously known APT group is unclear, as is the ultimate goal of the attack. The company’s analysis of the malware suggested it could date back as far as August 2013, while the “diplomatic entity” was infected a year later in August 2014. The most recent sample Kaspersky found was from August 2018, suggesting the group is still active.

So far, TajMahal has only one confirmed victim, an unnamed “central Asian diplomatic entity.” However, Kaspersky warned that such sophisticated work wouldn’t be developed and used against one target. “It seems highly unlikely that such a huge investment would be undertaken for only one victim,” said Alexey Shulmin, lead malware analyst at Kaspersky Lab. “This suggests that there are either further victims not yet identified, or additional versions of this malware in the wild, or possibly both.”

“The technical complexity of TajMahal makes it a very worrying discovery, and the number of victims identified thus far is likely to increase,” Shulmin added. “Somehow, it has stayed under the radar for over five years. Whether this is due to relative inactivity or something else is another intriguing question.”

What can TajMahal do?

Named after the XML file used for data exfiltration, TajMahal is made up of two packages: Tokyo and Yokohama. Tokyo acts as the main back door (via PowerShell) and delivery mechanism for Yokohama, periodically connects with the command and control servers and remains on the victim device as a backup. Yokahama is the main payload and includes a VFS with all plugins, open-source and proprietary third-party libraries, and configuration files.

It is able to steal cookies, intercept documents from the print queue, record audio, take screenshots, index files (including those on external drives connected to infected devices) and steal specific files when next they are detected, and take information burned on CDs. The fact its code base or infrastructure isn’t shared with other known APTs is likely why it was able to remain undetected for so long.

What don’t we know about TajMahal?

Kaspersky’s discovery, while noteworthy, throws up many questions that haven’t been answered:

Who is behind TajMahal? Kaspersky hasn’t identified any potential group that could be behind TajMahal and there are no attribution clues nor any links to known threat groups. According to ThreatPost, the only known victim was previously unsuccessfully targeted by Zebrocy, a malware strain associated with the Russian-linked hacking group Fancy Bear (also known as APT28, Pawn Storm, Sofacy Group and others). Kaspersky notes that the Russian-linked Turla/Uroboros Trojan also involved a backdoor known as TadjMakhal.

How does it spread? So far, Kaspersky has said that distribution and infection vectors are is still unknown.

What were they after? Given that it was able to take screenshots, record audio, keystrokes, documents, messages sent via instant messaging and more, it’s unclear what intel the attackers were actually after. Given that the only known victim was a diplomatic entity, it’s likely to be sensitive information.