Kaspersky Announced A TajMahal Warning

News coming from New Delhi, a group of researchers at the lab of the cybersecurity firm - Kaspersky has found our a sophisticated spying platform which comes with the name TajMahal. In fact, it has been active for more than five years and seems like there is no connection to other known threat actors. The main framework of TajMahal also has up to 80 malicious modules which include some rather unique functionality, for example, the ability to steal from the printer queues.

There is also the function to grab previously seen files on flash drive devices. On the other hand, this framework is also capable of gathering Apple devices back up list, grab cookies of the browsers, and take data from CD burning.

The victim

The group at Kaspersky Lab has only found one victim of this platform so far, which is a central Asian embassy based in a foreign country. But it is very likely that there were other victims too.

The Lead Malware Analyst at Kaspersky Lab, Alexey Shulmin said that much investment could not be for just one victim, so there might be more which had fallen under its threat that we did not know of or there were other versions, or maybe both. He had not found out about the way it distributed or infected. The platform was able to remain unknown for over five years, which might be the result of its inactivity.

"Yokohama" and "Tokyo."

They added that they named this platform "TajMahal" because that is the name of the file used to exfiltrate the data. In "TajMahal" framework, there are also two main packages "Yokohama" and "Tokyo."

The targeted system of the central Asian embassy we mentioned above was infected with Yokohama and Tokyo.  Kaspersky Lab said that Tokyo might be used in the first stage of the operation. While, later on, they used Yokohama to target the real targets.