Spyware is inherently intriguing primarily because of the complexity that allows it to carry out its malicious plans, and breaking them down is something that security researchers have to do on a regular basis. However, a unique form of spyware with a phenomenal 80 different components and all kinds of tricks has been discovered by a group of analysts after it remained hidden for half a decade.
In a recent talk at the Kaspersky Security Analyst Summit in Singapore, researcher Alexey Shumin shed light on the firm’s groundbreaking discovery of an adaptable Swiss Army spyware framework called TajMahal.
As the name suggests, Swiss Army spyware comprises of a vast array of tools and plugins to achieve various espionage tasks. However, with 80 distinct modules which include not just the standard ones like keylogging and screen-grabbing but also completely new tools, TajMahal is a wonder to behold.
According to Shumin, the malicious software toolkit can perform a range of tasks, from intercepting documents in a printer queue to stealing specific files via USB transfer. Additionally, the software does not bear any indication whatsoever of belonging to any known group of state-sponsored hackers, which makes it all the more mysterious.
Shumin went on to talk about the firm’s discovery of the spyware last fall, which came about as a result of detecting the embassy of a Central Asian country that was a victim of the spyware’s actions. He declined to name the country, but he did state that there were definitely other victims out there.
“It seems highly unlikely that such a huge investment would be undertaken for only one victim,” he wrote.
What is equally intriguing is how such an immense piece of software has managed to stay under wraps for such a long time. Shumin has termed it an advanced persistent threat (APT), which not only has a whole host of new features but also has a completely unique codebase. It seems implausible that something like this could have evaded scrutiny for five whole years.
As Shumin wrote, “It is a reminder to the cybersecurity community that we never really have full visibility of everything that is going on in cyberspace.”