TajMahal Spyware

Kaspersky has released details about a sophisticated nation-state spyware it calls TajMahal:

The TajMahal framework's 80 modules, Shulmin says, comprise not only the typical keylogging and screengrabbing features of spyware, but also never-before-seen and obscure tricks. It can intercept documents in a printer queue, and keep track of "files of interest," automatically stealing them if a USB drive is inserted into the infected machine. And that unique spyware toolkit, Kaspersky says, bears none of the fingerprints of any known nation-state hacker group.

It was found on the servers of an "embassy of a Central Asian country." No speculation on who wrote and controls it.

More details.

Posted on April 11, 2019 at 6:24 AM • 14 Comments

Comments

wiredogApril 11, 2019 6:26 AM

"never-before-seen and obscure tricks. It can intercept documents in a printer queue"
No one has ever before intercepted documents heading to the printer? That seems like an obvious target, and a pretty easy one too.

MalgondApril 11, 2019 6:44 AM

I've interpreted that sentence not as 'intercept documents on their way to the printer queue', i.e. printed from the infected computer, but '... documents already on the printer queue', i.e. those printed from other computers - but it's just me. The original article does not clarify this either.

Petre Peter April 11, 2019 7:09 AM

Sophisticated but not military grade even tough it has its own indexer.

TatütataApril 11, 2019 9:28 AM

No one has ever before intercepted documents heading to the printer? That seems like an obvious target, and a pretty easy one too.

The printer itself would be a more obvious target, especially the larger models with built-in disk drives and remote maintenance from the manufacturer. How much can you trust Xerox, Kyocera, & co.?

When I go to the public library with my laptop, I notice dozens of queues in the printer list. These are apparently advertised by Apple products, and seem to accept jobs. Maybe one could undertake something with that.

Thirty years ago I pulled a harmless prank on a fairly obnoxious middle manager. A rather trivial DOS terminate-and-stay-resident program (remember these?) would intercept the printer interrupt, scan for the bloke's name in the output stream, and replace it with his nickname, which fortunately could be pronounced without blushing, and fitted in the same space. Several memos were distributed before anyone noticed, and no evidence could be found because of the transient nature of the exploit. That was when LANs were still a rarity, so it was an "evil maid" exploit: walk into the office and insert a diskette with an accomplice on the lookout. It certainly could have been a lot more sophisticated if facilities had been available.

HumdeeApril 11, 2019 11:52 AM

When I go to the public library with my laptop, I notice dozens of queues in the printer list. These are apparently advertised by Apple products, and seem to accept jobs. Maybe one could undertake something with that.

was the pun with printer jobs and steven jobs intentional?

PretzelApril 11, 2019 1:55 PM

@Malgond
Taken from the Kaspersky report (linked at the bottom of the blog entry):

Steals printed documents from spooler queue. This is done by enabling the “KeepPrintedJobs” attribute for each configured printer stored in Windows Registry

I hope that helps.

HiApril 11, 2019 3:17 PM

> No speculation on who wrote and controls it.

> sophisticated nation-state spyware it calls TajMahal

Odd choice of naming if there's no speculation on attribution. But then again maybe I'm just not well-versed in the logic of what goes into APT branding.

WeskerTheLurkerApril 11, 2019 3:35 PM

Very interesting toolkit, especially since that it doesn't have any hallmarks of the currently known APTs out there. Makes me wonder if this is a prototype, or a testbed of some sort?

@Hi
The second plugin module in this toolkit is called "Taj Mahal" by whoever developed it, so presumably that's how Kaspersky Labs came up with the name. There's a more detailed analysis of this on their Securelist blog along with a list of all 80 modules and what they do.

HiApril 11, 2019 3:43 PM

@WeskerTheLurker

Ah, that's reasonable enough. Just the first unique name they saw.

1&1~=UmmApril 11, 2019 8:48 PM

Hmm,

"'And that unique spyware toolkit, Kaspersky says, bears none of the fingerprints of any known nation-state hacker group.'"

Is this a first 'non-attribution'?

Hopefully people are learning ;-)

vas pupApril 12, 2019 1:25 PM

Office security/privacy related as well:
How does it feel to be watched at work all the time?

https://www.bbc.com/news/business-47879798

"His company gathers "data exhaust" left by employees' email and instant messaging apps, and uses name badges equipped with radio-frequency identification (RFID) devices and [ATTENTION!!!!]microphones.

These can check how much time you spend talking, your volume and tone of voice, even if you dominate conversations. While this may sound intrusive - not to say creepy - proponents argue that it can also protect employees against bullying and sexual harassment.

Humanyze calls these badges "Fitbit for your career".

No, please. That is '1984' on steroids in working environment.

vas pupApril 12, 2019 2:12 PM

More on spying without your knowledge:
Smart speaker recordings reviewed by humans
https://www.bbc.com/news/technology-47893082
"Are smart speakers recording all my conversations?

A common fear is that smart speakers are secretly recording everything that is said in the home.

While smart speakers are technically always "hearing", they are typically not "listening" to your conversations.

All the major home assistants record and analyse short snippets of audio internally, in order to detect a wake word such as "Alexa", "Ok Google" or "Hey Siri".

If the wake word is not heard, the audio is discarded.

But if the wake word is detected, the audio is kept and recording continues so that the customer's request can be sent to the voice recognition service.

It would be easy to detect if a speaker was continuously sending entire conversations back to a remote server for analysis, and security researchers have not found [YET]evidence to suggest this is happening."

I guess Clive knows that is possible as he posted many comments related.

65535April 12, 2019 3:39 PM

I wonder if the NSA,s Ghidra reverse-engineering tool would work on this malware? Sure, there are only one sample of TajMahal but others maybe revealed.

meta.x.gdbApril 17, 2019 8:36 PM


This is the kind of persistent exploit that itself can be the target of a piggy back exploit, or a full take-over. I mean, how hardened against attack is the typical exploit code back door? Sort of how easy it is to hijack an IoT that is already running Mirai. You don't need to write a Mirai exploit. You let Mirai carry the huge catalog of exploits, then you come in after and sniff out Mirai devices and bust into them and add them to you own botnet.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.