Vulnerability testing specialists from the International Institute of Cyber Security (IICS) reported the finding of a modular and adaptable software variant with a wide variety of features designed to perform various cyber spying tasks.
A group of researchers from a cybersecurity
firm discovered this spyware,
stating that the entire framework comprises not only the intrinsic
characteristics of a spyware (such as keyboard entries register and
screenshots), but also includes features not associated with this type of
development.
According to the vulnerability testing specialists,
TajMahal spyware (thus dubbed by the researchers) is able to intercept
documents waiting to be printed, to track files of interest for the attacker
and automatic extraction of tracked files when connecting an external storage
unit. If not enough, the researchers said that this spyware does not seem to
have any relation with any known group of cybercriminals linked to any
government.
“This is a highly complex development.
TajMahal is extremely rare, besides being very advanced and
sophisticated”, researchers mention. “Spyware has a completely new
code and it doesn’t seem to be related to some other spyware developed in the
past”.
According to the vulnerability testing
specialists, spyware was first detected in mid-2018, in a central Asian country
whose name has not been revealed for security reasons. Because it is a highly
sophisticated development, researchers do not rule out that it has attacked in
other locations.
After the first investigations, the experts
concluded that the attackers begin the raid by implanting a backdoor
program on the compromised computers. This program will use PowerShell to allow
attackers to connect to a command and control server, as hackers plant the most
important payload of TajMahal, identified as Yokohama.
This component shows a surprising versatility,
the specialists mentioned. Thanks to Yokohama, attackers can connect a USB to
an infected computer, scan its contents and send a listing to its command and
control server, from where attackers can select the files they want to extract
from the compromised system. Spyware also has some modules to compromise files
in other ways.
