Vulnerability testing specialists from the International Institute of Cyber Security (IICS) reported the finding of a modular and adaptable software variant with a wide variety of features designed to perform various cyber spying tasks.
A group of researchers from a cybersecurity firm discovered this spyware, stating that the entire framework comprises not only the intrinsic characteristics of a spyware (such as keyboard entries register and screenshots), but also includes features not associated with this type of development.
According to the vulnerability testing specialists, TajMahal spyware (thus dubbed by the researchers) is able to intercept documents waiting to be printed, to track files of interest for the attacker and automatic extraction of tracked files when connecting an external storage unit. If not enough, the researchers said that this spyware does not seem to have any relation with any known group of cybercriminals linked to any government.
“This is a highly complex development. TajMahal is extremely rare, besides being very advanced and sophisticated”, researchers mention. “Spyware has a completely new code and it doesn’t seem to be related to some other spyware developed in the past”.
According to the vulnerability testing specialists, spyware was first detected in mid-2018, in a central Asian country whose name has not been revealed for security reasons. Because it is a highly sophisticated development, researchers do not rule out that it has attacked in other locations.
After the first investigations, the experts concluded that the attackers begin the raid by implanting a backdoor program on the compromised computers. This program will use PowerShell to allow attackers to connect to a command and control server, as hackers plant the most important payload of TajMahal, identified as Yokohama.
This component shows a surprising versatility, the specialists mentioned. Thanks to Yokohama, attackers can connect a USB to an infected computer, scan its contents and send a listing to its command and control server, from where attackers can select the files they want to extract from the compromised system. Spyware also has some modules to compromise files in other ways.