Backdoor TajMahal uses sophisticated tools in an espionage campaign

The sophisticated malware TajMahal allows hackers to steal information from sent-to-print documents

Researchers found out that a sophisticated malware, named TajMahal, has already been active for five years

A new type of malware, dubbed TajMahal, has been discovered by security researchers at Kaspersky Lab. According to research, the malware remained underground for the past five years, although signs of its activities already surfaced last year when an attack was spotted on an organization located in Central Asian country.^[1] The name of the backdoor stems from the filename it uses to deliver the stolen information to malicious actors.

This type of malware was found to be highly-developed and is generally very sophisticated – it includes original code which consists of 80 different modules. Such modules support a large number of malicious plug-ins that launch unseen operations. According to more in-depth research, it has been spreading since August 2013, and the last tracks of TajMahal were found back in April 2018.^[2]

TajMahal managed to stay undercover for so long due to its innovative and never-seen functionality and having no similarities to other APT frameworks or malware. After the discovery, researchers called the strain “a technically sophisticated APT framework designed for extensive cyber espionage.”

The malware plants two malicious payload packages on the targeted computer system – Tokyo and Yokohama

Security experts think that TajMahal malware framework is based on two different payload packages – “Tokyo” and “Yokohama.” The former allows backdoor functionality, as well as enables contact to the Command and Control server. In the meantime, Yokohama is responsible for all the advanced capabilities of TajMahal malware.

Cybersecurity experts claim that these two packages contain the 80 modules that have the largest number of plug-ins that have been ever discovered in an Advanced Persistent Threat framework until now.^[3]

These malicious plug-ins contain such components:

• Backdoors.
• Loaders.
• Orchestrators.
• C2 communicators.
• Audio recorders.
• Keyloggers.
• File Indexer.
• Screen and webcam grabbers.

Once the Tokyo malware package is download onto the targeted system, it places the Yokohama payload. All Yokohama's malicious contents are kept in the Virtual File System. Here, the infection is capable of a wide variety of activities, e.g., collecting keystrokes, theft of browsing information and cookies, stealing backups from Apple devices. Also, Yokohama can screenshot VoIP calls, steal documents, and various files from a plugged USB Flash Drive.^[4]

An entity from Central Asia is the only victim found so far

Currently, there are no particular details on the distribution and secret installation techniques of the TajMahal malware, however, computer experts are deeply concerned about the existence of this type sophisticated virus which includes dozens of modules for the first time in the cyber-history:^[5]

The TajMahal framework is an intriguing discovery that’s of great interest, not least for its high level of technical sophistication, which is beyond any doubt. The huge amount of plugins that implement a number of features is something we have never before seen in any other APT activity.

There was only one victim discovered who has been infected by TajMahal – a diplomatic company from Central Asia. However, security experts believe that there must be other victims who are waiting to be found as this type of virus could affect almost any type of computer system due to its operating principle and sophisticated concept:^[6]

The technical complexity of TajMahal makes it a very worrying discovery, and the number of victims identified thus far is likely to increase.