Security Market Segment LS
Thursday, 11 April 2019 08:56

TajMahal: APT with a great name, but just one victim

TajMahal: APT with a great name, but just one victim Image by Dave Parkinson from Pixabay

A sophisticated nation-state framework that was discovered by Kaspersky Lab in the western autumn of 2018 has only one known victim to date — a diplomatic entity in Central Asia — leading to the suspicion that it may be an American-backed threat actor that Kaspersky Lab wants to avoid profiling in detail.

Named TajMahal, the spying framework has two packages named Tokyo and Yokohama, Kaspersky Lab said, adding that it included backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its own file indexer for the victim’s machine.

Available details were also presented at the company's Security Analyst Summit which is taking place in Singapore this week. As iTWire pointed out prior to the summit, Kaspersky Lab has a good reason to avoid the provision of details about American APTs. 

The company said in a short blog post that TajMahal had been developed and used for at least five years.

"The first known ‘legit’ sample timestamp is from August 2013, and the last one is from April 2018. The first confirmed date when TajMahal samples were seen on a victim’s machine is August 2014," Kaspersky Lab said.

Both the packages, Tokyo and Yokohama, shared the same code base, with indications that the first-named was the initial infection vector, while Yokohama, which had more functionality, was deployed and then left on a victim's infrastructure for back-up.

TajMahal was said to be capable of:

  • Stealing documents sent to the printer queue.
  • Gathering victim recon data that includes the back-up list for Apple mobile devices.
  • Taking screenshots when recording VoiceIP app audio.
  • Stealing written CD images.
  • Stealing files previously seen on removable drives once they were available again.
  • Stealing Internet Explorer, Netscape Navigator, FireFox and RealNetworks cookies.

If deleted from Frontend file or related registry values, it would reappear after reboot with a new name and start-up type, indicating that it was infecting the boot sector of a system.

"The question is, why go to all that trouble for just one victim?" Kaspersky Lab questioned. "A likely hypothesis is that there are other victims we haven’t found yet.

"This theory is reinforced by the fact that we couldn’t see how one of the files in the VFS was used by the malware, opening the door to the possibility of additional versions of the malware that have yet to be detected."

The brief blog post indicates that Kaspersky Lab wanted to reveal the APT at its summit in order to make a splash.

Its other big research meant for the summit, the ShadowHammer nation-state supply chain APT, was leaked to a freelance journalist earlier this month.


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments