Threat Watch

TajMahal Spyware

Some are calling it the Swiss Army knife of spyware due to its 80 different modules; it also uses a unique code base that is not similar to other APTs and malware. TajMahal was uncovered last year when it infiltrated a Central Asian Government’s entities network, but researchers believe it has been around for at least five years. Although no known threat actor or hacking group has been given credit, researchers believe it is the work of a nation-state attacker. Tokyo and Yokohama are the names of the two packages that are used to infect targeted systems. Three simple modules are used by the Tokyo package, one is simply the initial backdoor and the other two have yet to be published. Yokohama is a bit more complex; it contains spyware that has multiple modules that can perform various tasks. Backdoors, orchestrators, loaders, C2 communicators, keyloggers, audio recorders, screen grabbers, a file indexer and key stealers are included in the toolkit. Various other tasks can be carried out, such as stealing printer queue and burnt CD data. FireFox, Internet Explorer, RealNetworks, and Netscape Navigator can all have their cookies stolen by the spyware as well. Files can be extracted from USB drives that are inserted in a device that has been infected. Initially, it reads the files and determines what it wants to access, then the next time the device is inserted it pulls them from it. Even though TajMahal can be deleted off of the frontend file, it will come back with a different name when the system reboots.

ANALYST NOTES

Users are recommended to apply a layered defense that can help lower the risk of information being stolen. Tools such as anti-spyware software as well as anti-virus, firewalls, and host anomaly detection/intrusion prevention software can all be combined to prevent spyware or other attack vectors. Even spam and content filtering for inbound emails can be used a method of protection.