Project TajMahal – a sophisticated new APT framework

[harlan4096]

Executive summary

‘TajMahal’ is a previously unknown and technically sophisticated APT framework discovered by Kaspersky Lab in the autumn of 2018. This full-blown spying framework consists of two packages named ‘Tokyo’ and ‘Yokohama’. It includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its own file indexer for the victim’s machine. We discovered up to 80 malicious modules stored in its encrypted Virtual File System, one of the highest numbers of plugins we’ve ever seen for an APT toolset.

Just to highlight its capabilities, TajMahal is able to steal data from a CD burnt by a victim as well as from the printer queue. It can also request to steal a particular file from a previously seen USB stick; next time the USB is connected to the computer, the file will be stolen.

TajMahal has been developed and used for at least the past five years. The first known ‘legit’ sample timestamp is from August 2013, and the last one is from April 2018. The first confirmed date when TajMahal samples were seen on a victim’s machine is August 2014.

More details about TajMahal are available to customers of the Kaspersky Intelligence Reporting service (contact intelreports@kaspersky.com).

Technical details

We have discovered two different types of TajMahal packages, self-named Tokyo and Yokohama. The targeted systems found by Kaspersky Lab were infected with both packages. This suggests that Tokyo was used as first stage infection, deploying the fully-functional Yokohama package on interesting victims, and then left in for backup purposes. The packages share the same code base, we identified the following interesting features:

* Capable of stealing documents sent to the printer queue.
*Data gathered for victim recon includes the backup list for Apple mobile devices.
*Takes screenshots when recording VoiceIP app audio.
* Steals written CD images.
* Capable of stealing files previously seen on removable drives once they are available again.
* Steals Internet Explorer, Netscape Navigator, FireFox and RealNetworks cookies.
* If deleted from Frontend file or related registry values, it will reappear after reboot with a new name and startup type.

Victims

So far we have detected a single victim based on our telemetry – a diplomatic entity from a country in Central Asia.

Conclusion

The TajMahal framework is an intriguing discovery that’s of great interest, not least for its high level of technical sophistication, which is beyond any doubt. The huge amount of plugins that implement a number of features is something we have never before seen in any other APT activity. For example, it has its own indexer, emergency C2s, is capable of stealing specific files from external drives when they become available again, etc.

The question is, why go to all that trouble for just one victim? A likely hypothesis is that there are other victims we haven’t found yet. This theory is reinforced by the fact that we couldn’t see how one of the files in the VFS was used by the malware, opening the door to the possibility of additional versions of the malware that have yet to be detected.

Kaspersky Lab products detect the TajMahal APT samples as HEUR:Trojan.Multi.Chaperone.gen

Continue Reading