It’s not every day that security researchers discover a new state-sponsored hacking group. Even rarer is the emergence of one whose spyware has 80 distinct components, capable of strange and unique cyberespionage tricks—and who’s kept those tricks under wraps for more than five years.
In a talk at the Kaspersky Security Analyst Summit in Singapore Wednesday, Kaspersky security researcher Alexey Shulmin revealed the security firm’s discovery of a new spyware framework—an adaptable, modular piece of software with a range of plugins for distinct espionage tasks—that it’s calling TajMahal. The TajMahal framework’s 80 modules, Shulmin says, comprise not only the typical keylogging and screengrabbing features of spyware, but also never-before-seen and obscure tricks. It can intercept documents in a printer queue, and keep track of “files of interest,” automatically stealing them if a USB drive is inserted into the infected machine. And that unique spyware toolkit, Kaspersky says, bears none of the fingerprints of any known nation-state hacker group.
“Such a large set of modules tells us that this APT is extremely complex,” Shulmin wrote in an email interview ahead of his talk, using the industry jargon—short for advanced persistent threat—to refer to a sophisticated hackers who maintain long-term and stealthy access to victim networks. “TajMahal is an extremely rare, technically advanced and sophisticated framework, which includes a number of interesting features we have not previously seen in any other APT activity. Coupled with the fact that this APT has a completely new code base—there are no code similarities with other known APTs and malware—we consider TajMahal to be special and intriguing.”
It’s remarkable how long TajMahal remained undetected.
Kaspersky says it first detected the TajMahal spyware framework last fall, on only a single victim’s network: The embassy of a Central Asian country whose nationality and location Kaspersky declines to name. But given the software’s sophistication, Shulmin says TajMahal has likely been deployed elsewhere. “It seems highly unlikely that such a huge investment would be undertaken for only one victim,” he writes. “This suggests that there are either further victims not yet identified, or additional versions of this malware in the wild, or possibly both.”
Those initial findings may indicate a very cautious and discreet state-sponsored intelligence-gathering operation, says Jake Williams, a former member of the National Security Agency’s elite Tailored Access Operations hacking group. “The extensibility of it requires a large developer team,” Williams notes. He points out also that the ability to avoid detection and the single known victim suggest extreme care in targeting, stealth, and operation security. “There’s all kinds of stuff here that screams opsec and very regimented tasking.”
Shulmin says Kaspersky hasn’t yet been able to connect TajMahal, named for a file the spyware uses to move stolen data off a victim’s machine, to any known hacker groups with the usual methods of code-matching, shared infrastructure, or familiar techniques. Its Central Asian target doesn’t exactly provide any easy clues as to the hackers’ identities either, given the vagueness of that description and the countries with sophisticated hacker teams with Central Asian interests, including China, Iran, Russia and the US. Nor has Kaspersky determined how the hackers behind TajMahal gain initial access to a victim network. But they do note that the group plants an initial backdoor program on machines, which the hackers labelled Tokyo. That backdoor uses the common hacking framework PowerShell to allow the hackers to spread their compromise, connect to the a command-and-control server, and plant TajMahal’s much more multifunctional payload spyware, labelled by the hackers as Yokohama, with its dozens of distinct modules.
Yokohama’s Swiss Army-style versatility is what stood out most to Kaspersky’s researchers. While it includes many of the usual, powerful capabilities of state-sponsored spies, it also has some more idiosyncratic features: When a USB drive is plugged into an infected PC, it scans its contents and uploads a list of them to the command-and-control server, where the spies behind TajMahal can decide which files they want to exfiltrate. If the USB drive has been removed by the time the hackers have made up their minds, TajMahal can automatically monitor the USB port for the same drive to pull off that file, and upload it the next time it appears. The spyware has other modules that allow it to flag files that have been burned to a CD, or put into a printer queue.
While none of those features are particularly flashy, they signal a careful adversary taking pains to discern which files among the vast and messy contents of a victim’s computer might be worth stealing. “One would not print information, save it to a USB stick, or burn it onto a CD if this information was not important in some way,” Shulmin says.
Considering its sophistication and eclectic features, it’s remarkable how long TajMahal remained undetected. The Central Asian embassy victim, Kaspersky says, had been compromised since at least 2014. But the compile times of various elements of TajMahal—the time stamps that indicate when a piece of it was programmed—indicate it was active both before and long after that date. Some modules dated back to 2013, while others dated as recently as 2018.
“Somehow, it has stayed under the radar for over five years. Whether this is due to relative inactivity or something else is another intriguing question,” Shulmin writes. “It is a reminder to the cybersecurity community that we never really have full visibility of everything that is going on in cyberspace.”