• Researchers from Kaspersky Lab found two different packages named Tokyo and Yokohama.
  • Tokyo was used to deploy Yokohama on victims’ machines, where the latter stole sensitive data belonging to the victims.

TajMahal, a sophisticated APT framework was recently discovered by researchers which is estimated to be operational since 2013. Security firm Kaspersky Lab which detected recent activity related to TajMahal indicated that it contained two different packages named Tokyo and Yokohama.

Furthermore, the researchers also found that the APT framework had around 80 plugins in an encrypted Virtual File System (VFS).

Worth noting

  • Both packages which are part of TajMahal employ a variety of malicious tools such as keyloggers, orchestrators, backdoors, C2 communicators, audio recorders, screen and webcam grabbers, and more.
  • TajMahal is mainly known to steal data from CDs and printer queues associated with compromised computers. In addition, it can steal a particular file from USB sticks inserted into these computers.
  • Tokyo is used as a first stage infection which then deploys the Yokohoma package for stealing data.
  • These packages also steal cookies from Internet Explorer, Netscape Navigator, FireFox and RealNetworks.

Why does it matter - Kaspersky Lab emphasized that the number of plugins found in the APT framework was one of the highest they had encountered.

“The huge amount of plugins that implement a number of features is something we have never before seen in any other APT activity. For example, it has its own indexer, emergency C2s, is capable of stealing specific files from external drives when they become available again, etc,” the researchers wrote in a blog.

As of now, Kaspersky estimates that only one victim was impacted by TajMahal based on their telemetry.

Cyware Publisher