In a talk at the Kaspersky Security Analyst Summit in Singapore Wednesday, Kaspersky security researcher Alexey Shulmin revealed the security firm's discovery of a new spyware frameworkan adaptable, modular piece of software with a range of plugins for distinct espionage tasksthat it's calling TajMahal. The TajMahal framework's 80 modules, Shulmin says, comprise not only the typical keylogging and screengrabbing features of spyware, but also never-before-seen and obscure tricks.It can intercept documents in a printer queue, and keep track of "files of interest," automatically stealing them if a USB drive is inserted into the infected machine.
"Such a large set of modules tells us that this APT is extremely complex," Shulmin wrote in an email interview ahead of his talk, using the industry jargonshort for advanced persistent threatto refer to a sophisticated hackers who maintain long-term and stealthy access to victim networks.
Kaspersky says it first detected the TajMahal spyware framework last fall, on only a single victim's network: The embassy of a Central Asian country whose nationality and location Kaspersky declines to name. "This suggests that there are either further victims not yet identified, or additional versions of this malware in the wild, or possibly both."
Those initial findings may indicate a very cautious and discreet state-sponsored intelligence-gathering operation, says Jake Williams, a former member of the National Security Agency's elite Tailored Access Operations hacking group.
But the compile times of various elements of TajMahalthe time stamps that indicate when a piece of it was programmedindicate it was active both before and long after that date.
Original article