TajMahal spyware framework with a sophisticated, previously unseen code base discovered by researchers

The TajMahal APT framework has been active for at least the past five years

Security researchers at Kaspersky Lab have discovered a new spyware framework, called TajMahal, which is characterised by a highly sophisticated, previously unseen code base and contains 80 distinct modules.

This Advanced Persistent Threat (APT) framework - believed to be the work of a nation-state attacker - has been active for at least the past five years, although it was only discovered last year, when it was found targeting the diplomatic agency of a Central Asian country.

"The first known 'legit' sample timestamp is from August 2013, and the last one is from April 2018," Kaspersky Lab revealed.

So far, researchers haven't linked it to any known hacking groups or threat actors.

The spyware is also capable of exfiltrating important files from removable storage devices

They believe it could hide itself for so long because of its new code base, which has no resemblance to any other malware or APTs.

The framework infects systems using two packages, named Tokyo and Yokohama. Tokyo is made up of just three modules, one of which works as the initial backdoor. The backdoor uses the PowerShell hacking framework to enable attackers to spread their compromise and connect to a command-and-control server.

Yokohama, on the other hand, is multifunctional payload spyware, containing dozens of other modules to provide various functionalities.

The entre toolkit includes backdoors, orchestrators, loaders, C2 communicators, keyloggers, audio recorders, screen grabbers, a file indexer and key stealers.

Somehow, it has stayed under the radar for over five years

According to Kaspersk, TajMahal can steal data from the printer queue as well as from a CD burnt by a victim. It can also steal cookies from FireFox, Internet Explorer, RealNetworks and Netscape Navigator.

The spyware is also capable of exfiltrating important files from removable storage devices. First, it identifies files on the removable drive, such as a USB stick, and then extracts the targeted file the next time USB is inserted in the system.

TajMahal can capture screenshots of the webcam and desktop and also issue commands.

Even if it is deleted from the frontend file or registry values, it reappears with a new name after reboot.

"Somehow, it has stayed under the radar for over five years. Whether this is due to relative inactivity or something else is another intriguing question," Kaspersky security researcher Alexey Shulmin told Wired.

"It is a reminder to the cybersecurity community that we never really have full visibility of everything that is going on in cyberspace."

Computing and CRN have united to present the Women in Tech Festival UK 2019, on 17 September in London.

The event will celebrate successful women in the IT industry, enabling attendes to hear about, and to share, personal experiences of professional journeys and challenges.

Whether you're the ‘Next Generation', an ‘Inspirational Leader', or an ‘Innovator of Tech' this event will offer inspiration on not only how to improve yourself, but how to help others too. The event is FREE for qualifying IT pros, but places will go fast