New APT group TajMahal operates as a ‘full-blown spying network,’ Kaspersky says

Researchers have uncovered an advanced persistent threat that for at least five years has used an array of hacking tools and covert automatic updates as part of a hacking campaign that bears little technical similarity to any other APT.

The “TajMahal” cyber-espionage group uses software backdoors, audio recorders, keyloggers, screen and webcam grabbers, cryptography key stealers and up to 80 malicious modules as part of a “full-blown spying framework,” according to research published Wednesday by Kaspersky Lab.

TajMahal relies on an entirely new base of code that has no similarities to other known malware or APT techniques, helping its operators avoid detection between August 2013 and April 2018, researchers found.

“Just to highlight its capabilities, TajMahal is able to steal data from a CD burnt by a victim as well as from the printer queue,” Kaspersky said in a blog post. “It also can request to steal a particular file from a previously seen USB stick; next time the USB is connected to the computer, the file will be stolen.”

Researchers have only identified a diplomatic entity from a country in Central Asia as the victim, though it’s likely others exist. Kaspersky in unrelated research last year detailed a cyberattack against a “Central Asian” country that originated with a Chinese-based hacking group. Mongolian websites were the true target, CyberScoop reported.

The TajMahal campaign is based on two malicious packages called Tokyo and Yokohama. Technical evidence suggests Tokyo was deployed for initial infection purposes, loading Yokohama onto targeted machines, and then for backup purposes.

Yokohama is the “fully functional” malware package, researchers said. Along with stealing information from CDs, printers and USBs, the hacking tool takes screenshots and records audio, steals from web browsers, gathers data from backup lists from Apple mobile devices and is capable of reappearing upon deletion.