1.888.900.DRIZ (3749)
The Driz Group
  • Managed Services
    • SME CyberShield
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog
  • Managed Services
    • SME CyberShield
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog

Cybersecurity Blog

Thought leadership. Threat analysis. Cybersecurity news and alerts.

4/15/2019

0 Comments

Why TajMahal Is the Most Alarming Malware to Date

 
TajMahal Malware

Why TajMahal Is the Most Alarming Malware to Date

The discovery of the malware called “TajMahal” is alarming, not because it attacked a certain diplomatic organization but because of the high number of malicious acts that it can do, totaling 80, and the malware’s stealth capability, evading discovery for nearly 5 years.

Researchers at Kaspersky Labrecently revealed that a diplomatic organization belonging to a Central Asian country, a type of organization that’s often subject to cyber-attack due to its line of work, was a victim of the malicious software (malware) TajMahal. This malware, the researchers said, remained undetected in the diplomatic organization’s network for nearly 5 years, with the first known legitimate sample timestamp from August 2013 and the last one from April 2018. The first confirmed date when TajMahal samples were seen on a victim’s machine is in August 2014. The researchers said they first discovered the malware on the victim’s machine in the autumn of 2018.

Old and New Hacking Tools

According to Kaspersky Lab researchers, TajMahal malware comes in two packages, one package is named “Tokyo” and the other “Yokohama”. Tokyo and Yokohama, the researchers said, share the same code base found on all infected computers of the said diplomatic organization. The Tokyo package facilitates the first stage of the malware infection, while the Yokohama package facilitates the deployment of the staggering 80 malicious cyber activities.

The Tokyo package uses PowerShell script, an old and tested strategy used by cyber attackers. McAfee Labsreport found that PowerShell attacks increased between 2016 and 2017, and IBM X-Forcealso noted the growth of PowerShell attacks from October 2017 to October 2018.

PowerShell is a legitimate tool used by system administrators in simplifying and automating the management of Microsoft Windows and Windows Server. Malicious actors, meanwhile, use PowerShell to hide their malicious code as the code is executed directly from the computer memory, making the attack fileless and thus stealthier than other types of attacks. PowerShell also allows remote access – the ability to access a computer from anywhere in the world so long as the computer is connected to the internet.

Yokohama, meanwhile, unleashes payloads – the portion of the malware which performs malicious actions, of which 80 of them were uncovered by Kaspersky Lab researchers. Old hacking techniques that form part of the Yokohama package include keylogging and audio, screen and webcam grabbing. In keylogging, every keystroke made by a computer user is recorded and sent to the malicious actors. In audio, screen and webcam grabbing, screenshots, audio or video, for instance, from VoIP audio or video calls, are covertly recorded and the sent to malicious actors.

Aside from the slew of time-tested hacking tools, Yokohama package, in particular, and TajMahal in general, packed the following new hacking capabilities:

  1. Intercepting documents from the print queue;
  2. Stealing data from a CD burnt; and
  3. Stealing a particular file from a previously seen USB stick, that is, the next time the USB is connected to the computer, the file will be stolen.

Intercepting documents from print queue and stealing data from CD burnt and USB stick are particularly alarming as documents that are typically printed or copied to a CD or USB stick are sensitive and important. Any data stolen by the malware, whether text, audio, video or image, is then sent to the command and control server, a computer controlled by the attackers in the form of an XML file called "TajMahal" – the origin of the name of the malware.

According to the researchers at Kaspersky Lab, it’s not known how the TajMahal malware initially infected the diplomatic organization belonging to a Central Asian country. It isn’t also known is who is the individual or groups behind the TajMahal malware as this malware bears no resemblance with other known malware, which means that the attacker or attackers created this malware using new code base to evade detection. Anti-malware solutions typically block malware that bears small resemblance with other known malware. 

To date, the only known victim of the TajMahal malware is the diplomatic organization. According to the researchers at Kaspersky Lab, it’s unlikely that the attackers went all that trouble of creating a new malware just for one victim, and that the likely theory is that there are other victims that have yet to be identified. The researchers said that this theory is supported by the fact that they “couldn’t see how one of the files in the VFS was used by the malware, opening the door to the possibility of additional versions of the malware that have yet to be detected”.

Implications

TajMahal malware is a type of malware that shows the characteristics of an advanced persistent threat (APT), a cyberattack in which the attacker or attackers gain unauthorized access to a network and remain undetected for a prolonged period. The usual suspects of APT attacks are nation-state actors – individuals who have the “license to hack” on behalf of a particular nation or state to gain access to valuable data or intelligence and can create cyber incidents that have international significance.

In recent years, however, common cyber criminals, those whose motive is simply for profit, have gotten hold of the APT tools used by nation-state actors, making these APT tools part of their arsenal in attacking, not just large organizations but also small and medium-sized organizations – attacks that rendered these organizations vulnerable.

For instance, the APT hacking tool called “EternalBlue” has joined a long line of reliable favorites of common cyber criminals. EternalBlue is one of the hacking tools leaked publicly in 2017 by the group known as “Shadow Brokers”. This hacking tool is believed to be created by the U.S. National Security Agency (NSA) for its surveillance activities. A month before the public release of EternalBlue, Microsoft issued a security update, fixing the vulnerability exploited by EternalBlue.

This particular security update, however, wasn’t timely installed on hundreds of thousands of computers worldwide, leading to the successful unleashing of WannaCry, a malware that uses the EternalBlue hacking tool in exploiting the vulnerabilities in the Windows SMBv1 server (patched by Microsoft a month earlier), remotely encrypting files and locking users out of their own files and spreading it to other computers within a network without user interaction. Since the EternalBlue leak, many malware integrated the EternalBlue feature.

Combating malware and ATP threats has become a daily reality for many organizations. It requires specialized skills and resources. When your organization needs help, our cybersecurity experts a phone call away. Contact ustoday.

0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Archives

    March 2025
    February 2025
    January 2025
    November 2024
    October 2024
    September 2024
    July 2024
    June 2024
    April 2024
    March 2024
    February 2024
    January 2024
    December 2023
    November 2023
    October 2023
    September 2023
    August 2023
    July 2023
    June 2023
    May 2023
    April 2023
    March 2023
    February 2023
    January 2023
    December 2022
    June 2022
    February 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    October 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015
    August 2015
    June 2015

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    AI Security
    Artificial Intelligence
    ATP
    Awareness Training
    Blockchain
    Botnet
    Bots
    Brute Force Attack
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Awareness
    Cybercrime
    Cyber Espionage
    Cyber Insurance
    Cyber Security
    Cybersecurity
    Cybersecurity Audit
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Cybersecurity Tips
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    Data Privacy
    DDoS
    Email Security
    Endpoint Protection
    Fraud
    GDPR
    Hacking
    Impersonation Scams
    Incident Management
    Insider Threat
    IoT
    Machine Learning
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    SaaS Security
    Social Engineering
    Supply Chain Attack
    Supply-Chain Attack
    Third Party Risk
    Third-Party Risk
    VCISO
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security
    Zero Trust

    RSS Feed

Picture

1.888.900.DRIZ (3749)

Managed Services

Picture
SME CyberShield
​Web Application Security
​Virtual CISO
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
Privacy Policy | CASL

About us

Picture
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog
​
Jobs

Resources & Tools

Picture
​Incident Management Playbook
Sophos authorized partner logo
Picture
© 2025 Driz Group Inc. All rights reserved.
Photo from GotCredit