Mystery TajMahal malware outed

A technically sophisticated cyberespionage framework that has been active since at least 2013 has been outed by security researchers.

The framework, which researchers from Kaspersky Lab have dubbed ‘TajMahal’, features around 80 malicious modules and bundles functionality never before seen in an advanced persistent threat, such as the ability to steal information from printer queues and to grab previously seen files from a USB device the next time it reconnects.

TajMahal include two main packages: ‘Tokyo’ and ‘Yokohama’. Tokyo contains the main backdoor functionality, and periodically connects with the command and control servers.

The Yokohama package is a fully armed spying framework that bundles a Virtual File System (VFS) with various plugins, open source and proprietary third-party libraries, and configuration files.

Yokohama bundles nearly 80 modules in all, including audio recorders, keyloggers, screen and webcam grabbers, documents, and cryptography key stealers.

The distribution methods and infection vectors for TajMahal are currently unknown. Analysts reckon that Tokyo serves as a first stage infection, deploying the fully-functional Yokohama package on interesting victims as a secondary infection.

TajMahal comes with a variety of features including the ability to grab browser cookies, gather the backup list for Apple mobile devices, and steal data from a CD burnt by a victim, as well as snaffling documents in a printer queue.

So far, only one victim has been identified – a foreign based, central Asian diplomatic entity, infected by 2014. The earliest example of TajMahal dates from April 2013, but a sample was only captured towards the end of last year.

“The TajMahal framework is a very interesting and intriguing finding,” said Alexey Shulmin, lead malware analyst at Kaspersky Lab. “The technical sophistication is beyond doubt and it features functionality we have not seen before in advanced threat actors.

“A number of questions remain. For example, it seems highly unlikely that such a huge investment would be undertaken for only one victim.

“This suggests that there are either further victims not yet identified, or additional versions of this malware in the wild, or possibly both.”


In other spying news, a basic but effective operation by a group of presumed Palestinian hackers hit Middle East-related targets in 39 countries.

The campaign – named ‘SneakyPastes’ – made use of disposable email addresses to spread politically-themed phishing emails. Malicious links or attachments that were either clicked or downloaded then planted malicious code on a compromised device.

“In order to avoid detection and hide the location of the command and control server, additional malware was downloaded to victim devices in chained stages using a number of free sites including Pastebin and GitHub,” security researchers at Kaspersky Lab report.

“The various malicious implants used PowerShell, VBS, JS, and dotnet to secure resilience and persistence within infected systems.

“The final stage of intrusion was a Remote Access Trojan, which made contact with the command and control server and then gathered, compressed, encrypted, and uploaded a wide range of stolen documents and spreadsheets to it.”

The whole approach might be relatively unsophisticated, but it has nonetheless been effective in allowing the group to hit around 240 high profile victims in 39 countries worldwide, including political, diplomatic, media, and activist entities, among others.

Kaspersky Lab’s research was shared with law enforcement, leading on to the takedown of a significant part of the attack infrastructure tied to the so-called Gaza Cybergang – a politically motivated hacking collective.

The SneakyPastes operation was at its most active between April and mid-November 2018, with the majority of victims located in the Palestinian Territories, Jordan, Israel and Lebanon.

Victims included embassies, government entities, media outlets and journalists, activists, political parties, and individuals, as well as education, banking, healthcare, and contracting organizations.

The name SneakyPastes comes from the attackers’ reliance on paste sites as part of the multi-stage attack.

SneakyPastes shows that lack of infrastructure and advanced tools is no impediment to success, according to Amin Hasbini, head of the Middle East research center for Kaspersky Lab’s Global Research and Analysis team.

“We expect the damage exerted by all three Gaza Cybergang groups to intensify and the attacks to extend into other regions that are also linked to Palestinian issues,” he said.

Details of both strains of malware were released at the Kaspersky Labs’ Security Analyst Summit in Singapore on Wednesday.