Named TajMahal, the spying framework has two packages named Tokyo and Yokohama, Kaspersky Lab said, adding that it included backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its own file indexer for the victim’s machine.
Available details were also presented at the company's Security Analyst Summit which is taking place in Singapore this week. As iTWire pointed out prior to the summit, Kaspersky Lab has a good reason to avoid the provision of details about American APTs.
The company said in a short blog post that TajMahal had been developed and used for at least five years.
Both the packages, Tokyo and Yokohama, shared the same code base, with indications that the first-named was the initial infection vector, while Yokohama, which had more functionality, was deployed and then left on a victim's infrastructure for back-up.
TajMahal was said to be capable of:
- Stealing documents sent to the printer queue.
- Gathering victim recon data that includes the back-up list for Apple mobile devices.
- Taking screenshots when recording VoiceIP app audio.
- Stealing written CD images.
- Stealing files previously seen on removable drives once they were available again.
- Stealing Internet Explorer, Netscape Navigator, FireFox and RealNetworks cookies.
If deleted from Frontend file or related registry values, it would reappear after reboot with a new name and start-up type, indicating that it was infecting the boot sector of a system.
"The question is, why go to all that trouble for just one victim?" Kaspersky Lab questioned. "A likely hypothesis is that there are other victims we haven’t found yet.
"This theory is reinforced by the fact that we couldn’t see how one of the files in the VFS was used by the malware, opening the door to the possibility of additional versions of the malware that have yet to be detected."
The brief blog post indicates that Kaspersky Lab wanted to reveal the APT at its summit in order to make a splash.
Its other big research meant for the summit, the ShadowHammer nation-state supply chain APT, was leaked to a freelance journalist earlier this month.