Security researchers at Kaspersky have discovered a highly sophisticated APT framework, dubbed TajMahal, that has been active for over 5 years.
According to Kaspersky’s research, the TajMahal framework remained undetected until the autumn of 2018 when the researchers detected an attack on a diplomatic organisation from a country in Central Asia.
TajMahal APT framework
The TajMahal APT framework is a high-tech modular-based malware toolkit that not only supports a large number of malicious plugins, but it also has a series of invasion tricks that have never been seen before.
“More than a mere set of back doors, TajMahal is a high-quality, high-tech spyware framework with a vast number of plugins (our experts have found 80 malicious modules so far), allowing for all kinds of attack scenarios using various tools,” said Kaspersky.
“According to our experts, TajMahal has been in operation for the past five years, and the fact that only one victim has been confirmed to date, suggests only that others have yet to be identified.”
‘Tokyo’ and ‘Yokohama’ packages
The APT platform consists of two main packages – Tokyo and Yokohama – that contain over 80 distinct malicious modules, which according to researchers, is the highest number of plugins ever seen for an APT toolset.
Tokyo acts as the main backdoor and delivers the second-stage malware, but researchers notice that it remains in the system even after the second phase begins.
Yokohama, meanwhile, is the weapon payload of the second stages, Kaspersky said. It creates a virtual file system complete with plugins, third-party libraries, and configuration files.
In addition, it can log keystrokes, steal browser cookies and data, including backup for Apple mobile devices, record and take screenshots of VoIP calls, steal written CD images, and steal files sent to the printer queue.
Number of victims
Though researchers have only found one TajMahal victim so far, they believe the number of victims is likely to increase.
“The technical complexity of TajMahal makes it a very worrying discovery, and the number of victims identified thus far is likely to increase,” concludes Kaspersky. “So far we have detected a single victim based on our telemetry.
“The TajMahal framework is an intriguing discovery that’s of great interest, not least for its high level of technical sophistication, which is beyond any doubt. The huge amount of plugins that implement a number of features are something we have never before seen in any other APT activity.
“The question is, why go to all that trouble for just one victim?” Kaspersky said. “This theory is reinforced by the fact that we couldn’t see how one of the files in the VFS was used by the malware, opening the door to the possibility of additional versions of the malware that have yet to be detected.”