What Is The Tajmahal Spyware?

Researchers have recently discovered an adaptable and modular software called Tajmahal that consists of a variety of features designed to carry out various cyber spying tasks. The versatility and complexity of this spyware framework have alarmed security experts and researchers. Find out more what the Tajmahal is capable of in the following article.

What Is Tajmahal Spyware?

Kaspersky Lab’s security researchers have discovered a new, high-quality, high-tech spyware framework called TajMahal. They were able to detect the threat by using their automatic heuristic technologies. The spyware has the ability to foster all kinds of attacks with the implementation of various tools. It is characterized by a highly sophisticated and never before seen code base. Experts have detected 80 malicious modules so far in the spyware. Experts say that TajMahal spyware has been in full active mode for over five years.

As a matter of fact, experts have only just discovered the framework last year when it targeted the diplomatic agency of a Central Asian country. Just because only one emerged as the victim of the attack doesn’t mean that many others have gone unaffected. They’re probably just unaware of it, and the rest of the victims have yet to be confirmed. Security experts believe that a nation-state attacker is behind this Advanced Persistent Threat (APT). But, researchers and security experts haven’t pointed fingers at any known hacking groups or threat actors so far.

What Does Tajmahal Do?

The reason why this framework managed to stay under the radar for five years is due to its code base. This particular base bears no relation to other malware or APTs. This is how this spyware works and what this APT platform consists of. The framework damages and infects systems with the use of two packages called Tokyo and Yokohama. Tokyo doesn’t exit the system even after the second phase begins in order to serve as an additional communication channel.

Yokohama, on the other hand, counts as the weapon payload of that second phase. While Tokyo contains just three modules -one of which operates as the initial backdoor, Yokohama is multifunctional payload spyware, that is made up of dozens of other modules. A large number of modules is used in Yokohama to provide all kinds of functionalities. Yokohama creates a complete virtual file system with plugins, third-party libraries, and configuration files. Tokyo’s initial backdoor uses the PowerShell hacking framework. This allows attackers to infect more systems on a wider scale, as well as, connect to a command-and-control server. Connecting to one is how attackers gain access to files and documents. 

Commentary on the Spyware

 Alexey Shulmin, a Kaspersky security researcher had this to say about the attack: “Somehow, it has stayed under the radar for over five years. Whether this is due to relative inactivity or something else is another intriguing question. It is a reminder to the cybersecurity community that we never really have full visibility of everything that is going on in cyberspace.”

According to researchers: “This is a highly complex development. TajMahal is extremely rare, besides being very advanced and sophisticated. Spyware has a completely new code and it doesn’t seem to be related to some other spyware developed in the past”.

More Information about the Tajmahal

Tajmahal is capable of stealing data from the printer queue and from a CD that a victim has burnt, according to Kaspersk. Also, it can steal cookies from FireFox, RealNetworks, Internet Explorer, and Netscape Navigator. Here’s what the spyware can do. The spyware can exfiltrate important files from removable storage devices. The first thing it does is identify files on the removable drive, like a USB stick. Then, it extracts the targeted file the next time the USB is in the system. In fact, with Yokohama, attackers insert a USB in a compromised computer, scan the content on it, and then send a listing to its command and control server. This is where attackers can choose the files they want to extract and get their hands on from the infected system.

Unfortunately, that’s not the only way this Spyware can access files. Tajmahal has some more modules that can compromise files in other different ways. Furthermore, TajMahal is capable of capturing screenshots of the webcam and desktop as well as issuing commands. Even if someones deletes it from the frontend file or registry values, it reappears with a different name right after reboot.

 Contents of the Toolkit

The entire toolkit consists of backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen grabbers, key stealers, and a file indexer. Here’s a list of what this APT is capable of:

• Stealing cookies and optical disc images created by the victim.
• Intercepting documents and files from the print queue.
• Taking screenshots of and recording VoIP calls.
• Gathering data about the victim (including a list of backup copies of their iOS device).
• Indexing files even those on external drives and stealing certain files when the drive is recognized again.

What Is Tajmahal Spyware? – Final Thoughts

What makes the TajMahal so intimidating and worrying is its technical complexity. You know how only one victim has been confirmed, the worst is yet to come. The number of Tajmahal victims is going to increase. Beware of the TajMahal and its analogs. You should take all the necessary security measures to avoid the Tajmahal attack. We advise you to get educated about malware, spyware, rootkits, everything. You never know when you might need that kind of information.