Cybercrime , Endpoint Security , Fraud Management & Cybercrime

Kaspersky: New 'TajMahal' APT Malware Enables Espionage

Report Describes Technical Sophistication of the Threat
Kaspersky: New 'TajMahal' APT Malware Enables Espionage
New malware was named for India's Taj Mahal, based on a file found in the framework.

A new type of malware, dubbed TajMahal, offers its users a host of espionage techniques, including the ability to steal documents sent to a printer queue and pilfer data from a CD, Kaspersky Lab reports.

See Also: Live Webinar | Digital Doppelgängers: The Dual Faces of Deepfake Technology

TajMahal is likely the product of an advanced persistent threat group - but not one that's known to researchers, according to a new Kasperky report released Wednesday. So far, only one target has been identified - "a diplomatic entity from a country in Central Asia," according to the report.

"The technical sophistication is beyond doubt, and it seems unlikely that such a huge investment would be undertaken for only one victim."
—Kaspersky Lab researcher

The first known samples of this malware date to 2013, and the first and only documented use of it stems from 2014. Kaspersky researchers began studying it in late 2018, the report reveals.

"The TajMahal framework is a very interesting and intriguing finding," a Kaspersky researcher who worked on the analysis but asked not to be named, tells Information Security Media Group.

"The technical sophistication is beyond doubt, and it seems unlikely that such a huge investment would be undertaken for only one victim. A likely hypothesis would be that there are other additional victims we haven't found yet. There may also be additional versions of this malware that have not yet been detected."

The name TajMahal comes from one of the files that Kaspesky found, the researcher says.

Kaspersky announced the TajMahal discovery at the company's Security Analyst Summit 2019 in Singapore. At the show, researchers also described another APT operation called Gaza Cybergang that targeted hundreds of victims in 39 countries, and a new darknet marketplace called Genesis, which deals in stolen digital IDs that sell for $5 to $200 each.

Sophisticated APT Malware

While not much is known about TajMahal, or the group that created the malware, the Kaspersky analysis paints a picture of a highly sophisticated framework capable of several types of spying and espionage techniques. The researchers say they found about 80 malicious modules stored in its encrypted virtual file system, as well as one of the highest numbers of plugins ever recorded in this type of toolset.

In addition to stealing documents from printers and data from CDs, the malware can also request to steal a particular file from a previously seen USB stick. The next time the device is connected to a PC, the file is taken, Kaspersky reports.

Other TajMahal features, Kaspersky says, include backdoors, loaders, orchestrators, command-and-control communication, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers. It even has its own file indexer for the machine it's targeting.

Tokyo and Yokohama

The TajMahal framework consists of two packages - dubbed Tokyo and Yokohama - that work together. Both share the same code base, Kaspersky says.

When analysts studied the one infected system, both packages were found. It appears that Tokyo is deployed first, which then opens the door for Yokohama, which can target the specific victims the attackers are looking for and can stick around for backup purposes.

The Kaspersky researcher tells ISMG that the one known victim forwarded a file to the company's lab for analysis. An examination showed how sophisticated the malware is and that the group behind it spend a lot of time and effort to create it.

"The file turned out to be a malicious plugin of a level of sophistication that suggested an APT - and the lack of code similarity to any known attack suggested it was a previously unknown APT," the researcher says. "This triggered a deeper investigation, which led the researchers to the conclusion that the malware was is part of a previously unknown, extremely rare cyberespionage platform."

The only small connection the analyst could find is a malware sample called Turla, which had been tied to Russian intelligence. Inside that malicious file was a reference to an operation called "TadjMakhal."

The lone known victim of TajMahal has also been targeted by another APT group called Zebrocy, which also may have tied to Russian intelligence, the Kaspersky researcher notes.

Other Threats

At its conference, Kaspersky researchers also released several other studies about either newly discovered threat groups, Trojans and other security threats.

Of note is the discovery of the Gaza Cybergang APT group, which mainly targeted Arabic-speakers in various parts of the Middle East, including the Palestinian Territories, Kaspersky notes.

This particular APT is actually an umbrella organization made up of three distinct subgroups all running different operations with various levels of sophistication. The research released Wednesday focused on Cybergang Group1 and an operation called "SneakyPastes," which used remote access Trojans to target political groups and others.

The other interesting piece of research, published Tuesday is what Kaspersky calls "Digital Doppelgangers," an update on the 20-year-old practice of carding and identity theft. Within these schemes, cybercriminals are able to use different techniques and methods to evade anti-fraud measures used by banks and other financial institutions. Specifically, the researchers found that cybercriminals have the ability to steal the online fingerprints of victims.

The fingerprints, along with other personal and financial data, then are sold and traded on the underground marketplace called Genesis, Kaspersky reports.

About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.