“TajMahal” is a newly discovered and technically sophisticated APT (Advanced Persistent Threat) detected by Kaspersky Lab in the 2018. It includes set of back doors, loaders, key loggers, audio recorders, file indexer and other attacker’s toolkit. Backdoor is a way to access a computer system or software by passing the security controls and normal authentication mechanism.
TajMahal is a high-tech spyware framework with a huge number of plugins (up to 80 malicious modules were discovered in its encrypted Virtual File System). TajMahal has been developed and used for at least the past five years. The first known “legit” sample timestamp is from august 2013, and the last one is from April 2018. Spyware software infects your device to steal information about your files, internet browsing and sensitive information. Spyware is classified as a type of malware.
TajMahal APT platform consists of two packages; one is Tokyo and another is Yokohama. Both packages play an important role. Tokyo functions as the main backdoor in this framework.
Yokohama is the exploiting payload belongs to the second phase of this APT. It creates a virtual file system with plugins and configuration files. The interesting malicious behavior observed in this phase are as below:
- Stealing cookies
- Intercepting documents
- Collecting data about the victim
- Recording and taking screenshots of VoIP calls
- Stealing optical disc images made by the victim
- Indexing files
The advance maliciousness of TajMahal makes it even more dangerous. The discovery of huge number of plugins in a single APT was never discovered before. Therefore, to defend the systems against TajMahal, proven security solutions such as Kaspersky Endpoint security is recommended.