A ‘Taj Mahal’ warning for you

Reader's Pick

Researchers with cyber security firm Kaspersky Lab have uncovered a sophisticated spying platform, TajMahal, that has been active for more than five years now and appears to be unconnected to any known threat actors.

The TajMahal framework features around 80 malicious modules and includes functionality is never before seen in an advanced persistent threat, such as the ability to steal information from printer queues and to grab previously seen files from a USB device the next time it reconnects, the researchers said.

Kaspersky Lab has so far seen only one victim, a foreign-based central Asian embassy, but it is likely that others have been affected.

- Advertisement -

“It seems highly unlikely that such a huge investment would be undertaken for only one victim. This suggests that there are either further victims not yet identified, or additional versions of this malware in the wild, or possibly both,” said Alexey Shulmin, Lead Malware Analyst at Kaspersky Lab.

“The distribution and infection vectors for the threat also remain unknown. Somehow, it has stayed under the radar for over five years. Whether this is due to relative inactivity or something else is another intriguing question. There are no attribution clues nor any links we can find to known threat groups,” Shulmin added.

The name “TajMahal” comes from the name of the file used to exfiltrate the stolen data, Kaspersky Lab said.

The TajMahal framework is believed to include two main packages, self-named as “Tokyo” and “Yokohama”.

Tokyo is the smaller of the two, with around three modules. It contains the main backdoor functionality, and periodically connects with the command and control servers. Tokyo leverages PowerShell and remains in the network even after the intrusion has moved to stage two.

- Advertisement -

Stage two is the Yokohama package: a fully armed spying framework. Yokohama includes a Virtual File System (VFS) with all plug-ins, open source and proprietary third-party libraries, and configuration files. There are nearly 80 modules in all, and they include loaders, orchestrators, command and control communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers.

TajMahal is also able to grab browser cookies, gather the backup list for Apple mobile devices, steal data from a CD burnt by a victim as well as documents in a printer queue, the researchers said.

It can also request the theft of a particular file from a previously seen USB stick, and the file will be stolen the next time the USB is connected to the computer.

The targeted systems found by Kaspersky Lab were infected with both Tokyo and Yokohama. This suggests that Tokyo was used as first stage infection, deploying the fully-functional Yokohama package on interesting victims, and then left in for backup purposes.

- Advertisement -

Read latest Business News and Startup news on TechGraph. Watch live and latest news on TechGraph TV. Follow us on Facebook or follow us on Twitter and Instagram. Listen audio news from TechGraph Briefings on Spotify, Google Podcast, Amazon Music & on Apple Podcast.
 

Krishna Mali
Krishna Mali
Founder & Editor of TechGraph.

Latest News

Promoted Links

Related Stories

Bank of Japan keeps monetary policy steady, brings new forward guidance on rates

The Bank of Japan kept its monetary policy steady on Thursday but introduced new...

Employees union seeks FIR against Jet Airways boss Naresh Goyal, Vinay Dube and on SBI Chairman

The employee union of Jet Airways, which is facing its worst crisis, Friday sought...

Japan approves 26 trillion yen as economic stimulus package to combat overseas risks

Japan's cabinet approved an economic stimulus package worth 26 trillion yen ($239 billion) with...

Samsung Electronics asks its shareholders to use electronic voting for upcoming AGM

Technology giant Samsung Electronics has adopted electronic voting for the first time ever for...

Rahul Gandhi hits on RCEP says, ‘Make in India’ has become ‘Buy from China’

Asserting that "Make in India" has become "Buy from China," Congress leader Rahul Gandhi...

CASHe launches WhatsApp-based instant credit line services

India-based credit-led Ai-driven fintech platform, CASHe has announced the launch of Ai-powered chat capability...

Budget 2022-23: Banking, NEO Bank & NBFC Sector Expectations

Banking, Neo Bank & NBFCs sector expectations from Budget 2022: As Union Finance Minister...

Maruti Suzuki plans to increase vehicle prices from next month

India’s leading automaker Maruti Suzuki has decided to increase the prices of its vehicles...

How to choose top payout casinos online

Each casino sets its conditions for the withdrawal of winnings. However, all gambling clubs...

Ampere Electric to setup e-mobility manufacturing plant in Tamil Nadu

Electric Mobility Company Ampere Electric has announced a phased investment potential of Rs 700...

Almirall onboards Mercedes Diz as VP of Corporate Strategy

Spanish biopharmaceutical company, Almirall has announced the appointment of Mercedes Diz as Vice President...

4 Top Challenges in a Small Business

Running a small business is not easy. You will face many challenges along the...

Adtech startup ExperientalEtc raises $200K from StartupLanes

Mumbai-based Adtech startup, ExperientalEtc has raised $200K in series seed round funding led by...

How Ginesys retail ERP Software Can Solve 7 Common Manufacturing Problems

The retail industry is undergoing a massive transformation. Customers nowadays prefer shopping through multiple...