Another Taj Mahal (between Tokyo and Yokohama)

April 10, 2019

In the fall of 2018, we detected an attack on a diplomatic organization belonging to a Central Asian country. There would be no story here (diplomats and their information systems attract the interest of various political forces every now and again) were it not for the tool employed: a new APT platform by the name of TajMahal.

More than a mere set of back doors, TajMahal is a high-quality, high-tech spyware framework with a vast number of plugins (our experts have found 80 malicious modules so far), allowing for all kinds of attack scenarios using various tools. According to our experts, TajMahal has been in operation for the past five years, and the fact that only one victim has been confirmed to date suggests only that others have yet to be identified.

What can TajMahal do?

The APT platform consists of two main parts: Tokyo and Yokohama. Both were detected on all infected computers. Tokyo acts as the main back door and delivers the second-stage malware. Interestingly, it remains in the system even after the second phase starts, evidently to operate as an additional communication channel. Yokohama, meanwhile, is the weapon payload of the second stage. It creates a virtual file system complete with plugins, third-party libraries, and configuration files. Its arsenal is extensive in the extreme:

  • Stealing cookies,
  • Intercepting documents from the print queue,
  • Collecting data about the victim (including a list of backup copies of their iOS device),
  • Recording and taking screenshots of VoIP calls,
  • Stealing optical disc images made by the victim,
  • Indexing files, including those on external drives, and potentially stealing specific files when the drive is detected again.

Conclusion

The technical complexity of TajMahal makes it a very worrying discovery, and the number of victims identified thus far is likely to increase. That said, Kaspersky Lab products detect TajMahal. A more technically detailed report can be found on Securelist.

Initially, the threat was discovered using our automatic heuristic technologies. So to guard against TajMahal and its analogs, it makes sense to use proven security solutions such as Kaspersky Endpoint Security for Business.