‘TajMahal’ is a previously unknown and technically sophisticated APT framework discovered by Kaspersky Lab in the autumn of 2018. This full-blown spying framework consists of two packages named ‘Tokyo’ and ‘Yokohama’. It includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its own file indexer for the victim’s machine. We discovered up to 80 malicious modules stored in its encrypted Virtual File System, one of the highest numbers of plugins we’ve ever seen for an APT toolset.
Just to highlight its capabilities, TajMahal is able to steal data from a CD burnt by a victim as well as from the printer queue. It can also request to steal a particular file from a previously seen USB stick; next time the USB is connected to the computer, the file will be stolen.
TajMahal has been developed and used for at least the past five years. The first known ‘legit’ sample timestamp is from August 2013, and the last one is from April 2018. The first confirmed date when TajMahal samples were seen on a victim’s machine is August 2014.
More details about TajMahal are available to customers of the Kaspersky Intelligence Reporting service (contact [email protected]).
We have discovered two different types of TajMahal packages, self-named Tokyo and Yokohama. The targeted systems found by Kaspersky Lab were infected with both packages. This suggests that Tokyo was used as first stage infection, deploying the fully-functional Yokohama package on interesting victims, and then left in for backup purposes. The packages share the same code base, we identified the following interesting features:
- Capable of stealing documents sent to the printer queue.
- Data gathered for victim recon includes the backup list for Apple mobile devices.
- Takes screenshots when recording VoiceIP app audio.
- Steals written CD images.
- Capable of stealing files previously seen on removable drives once they are available again.
- Steals Internet Explorer, Netscape Navigator, FireFox and RealNetworks cookies.
- If deleted from Frontend file or related registry values, it will reappear after reboot with a new name and startup type.
So far we have detected a single victim based on our telemetry – a diplomatic entity from a country in Central Asia.
The TajMahal framework is an intriguing discovery that’s of great interest, not least for its high level of technical sophistication, which is beyond any doubt. The huge amount of plugins that implement a number of features is something we have never before seen in any other APT activity. For example, it has its own indexer, emergency C2s, is capable of stealing specific files from external drives when they become available again, etc.
The question is, why go to all that trouble for just one victim? A likely hypothesis is that there are other victims we haven’t found yet. This theory is reinforced by the fact that we couldn’t see how one of the files in the VFS was used by the malware, opening the door to the possibility of additional versions of the malware that have yet to be detected.
Kaspersky Lab products detect the TajMahal APT samples as HEUR:Trojan.Multi.Chaperone.gen
Appendix I – Indicators of compromise
A full set of IOCs and Yara rules is available to customers of Kaspersky Intelligence Reporting service – contact [email protected]
Domains and IPs
Appendix II – Additional technical details
The following table provides the full list of files stored in the VFS with a short description describing what the plugins do:
|C2 communication and command processing. WatchPoints document stealer.|
|LocalInfo. Collects a large amount of information, titled “TAJ MAHAL”|
|AudioRecorder. Microphone, Voice IP applications.|
|Open source-based LAME mp3 encoder (“Mar 27 2014”) used by AudioRecorder plugins (adXX.dll).|
|09||dd.m||MP3 file is sent by AudioRecorder (adXX.dll) when cache is cleared.|
|AudioRecorder for Windows Metro applications.
Injects ma32.dll into “wwahost.exe” or “audacity.exe”.
|12||ma32.dll||AudioRecorder for Windows COM.
Hooks IAudioClient, IAudioRenderClient, IMMDevice.
|Handy wrapper around API of exXX.dll, pdXX.dll, sgXX.dll.|
|Orchestrator. Update/install/uninstall, selects target processes and loads plugins.|
|Template of “Yokohama” Frontend module; is used for reinstalling.|
|Provides API to access configuration settings, working files, egress queue.|
|Open source “libpng” library version 1.5.8 (February 1, 2012). Used by Screenshoter plugin (ssXX.dll).|
|LoadLibrary call template dll is used by Reinstaller/Injector plugin (rsXX.dll) for injecting LoadLibrary call into running processes.|
|Shellcode template is used by Reinstaller/Injector (rsXX.dll) and AudioRecorder4MetroApp (meXX.dll) for injecting into running processes. Both versions of “obj32.bin” are the same; it seems to be stored twice by mistake.|
|Utility library. Provides API for cryptography, file, registry, memory management operations and so on.|
|Library for managing egress queue (files and messages prepared to send to CC).|
|SuicideWatcher. Watches uninstall time, checks time diff (local time vs internet time).|
|Open source “XZip/XUnzip” library by Info-Zip + Lucian Wischik + Hans Dietrich. Is used by Indexer (inXX.dll) and C2 communication (csXX.dll) plugins.|
|Open source “zlib” version 1.2.3 used by libpngXX.dll for compressing screenshots (ssXX.dll).|
|39||il32.dll||IM-Stealer. Steals conversation content from chat windows of instant messaging applications.|
|Indexer. Indexes files on victim drives, user profiles, removable drives.
Built index files are zipped (by zipXX.dll) and put in send queue.
|Proprietary “ISYS Search Software” components are used by Indexer plugin.
Licensee_ID1 “Q5GXU H5W67 23B4W SCQFD 4G7HV 9GSLW”
|Open source “sqlite” library. Used by “ISYS Search”.|
|Thumbnailer. Makes and prepares to send thumbnails of found picture files.|
|FreeImage open source library supports popular graphics image formats (ver 3.15.4 2012-10-27) (http://freeimage.sourceforge.net). Is used by Thumbnailer (tnXX.dll) plugin.|
|Keylogger & clipboard monitor.|
|Steals printed documents from spooler queue.
This is done by enabling the “KeepPrintedJobs” attribute for each configured printer stored in Windows Registry:
key: “SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers”
|EgressSender. Sends files from output queue to C2.|
|Daily “ClientRecon” (ComputerName, OS information, MacAddress, WirelessNetwork keys, connected Apple devices, Apple mobile devices backups list, IE version, SecurityCenterInfo (AV, Firewalls and AntiSpyware products), Hardware info, Installed soft including Metro Apps, Users, Autoruns).
Check and send to C2 if something changed.
|Screenshoter. Periodic low resolution screenshots. High resolution screenshots of specified process windows and when recording VoiceIP application audio. See “ss_pr” & “ss_wt_nm” cfg vars.|
|Steal documents from fixed and removable drives. Watch CDBurnArea and steals written CD images.|
|Periodically makes webcamera snapshots.|
|77||default.cfg||Default configuration settings file.|
|78||runin.bin||List of processes names and associated plugins should be run inside these processes.|
|79||morph.dat||Configuration file stores path of work folders and registry keys.|