This article is more than 1 year old

Taj Mahal and SneakyPastes: Kaspersky reveals pair of attacks menacing Asia, Middle East

Fresh round of targeted operations unearthed

Kaspersky Lab has revealed a pair of attacks targeting governments and political groups in Asia and the Middle East.

The Russian security house has issued reports outlining how the operations have been stealthily avoiding detection until now.

Taj Mahal breaks its silence after five years

An unspecified diplomatic facility in central Asia was named as the home to Taj Mahal, a highly complex operation running two different pieces of malware that together load around 80 modules.

According to Kaspersky's research, nothing has been found tying the malware to any known cybercrime or espionage group, but whoever crafted the malware did an excellent job of keeping it quiet as the infection is believed to have been running undetected at the facility since 2013 or 2014.

The Taj Mahal infection operates as two separate pieces: a primary infection called Tokyo that sets up a backdoor via PowerShell and calls up the command and control server.

The second component of the attack, called Yokohama, is launched after Tokyo (but can still run alongside it) and carries the vast majority of the 80 attack modules. Those modules allow for specific espionage attacks, like pulling data from print queues, taking screenshots, or stealing cryptography keys.

Kaspersky Lab lead malware analyst Alexey Shulmin said that it is likely there are other groups infected by Taj Mahal, given the complexity and wide range of capabilities. Simply put, this thing is too big and complex to be a one-off attack.

"The distribution and infection vectors for the threat also remain unknown. Somehow, it has stayed under the radar for over five years," noted Shulman.

"Whether this is due to relative inactivity or something else is another intriguing question. There are no attribution clues nor any links we can find to known threat groups."

SneakyPastes sticks around the Middle East

The second attack unearthed by the Russian security house was far less steeped in mystery. A group dubbed Gaza Cybergang was said to be behind a series of politically-motivated attacks in the Middle East and North Africa, with its primary focus being in the Palestinian Territories (hence the name).

The group's new operation, dubbed "SneakyPastes" is believed to be the work of a relatively unsophisticated bunch (two other tiers of the group run the more technically advanced operations) and borrows heavily on scripts and code snippets lifted from sites like GitHub and PasteBin before finally installing a spyware app on the target's PC.

The campaign targets government agencies, media outlets, and political groups, and uses phishing emails designed to look like political messages.

"Based on the analyzed metrics, the victims were spread across 39 countries and reached 240+ unique victims. The Palestinian Territories host the majority of the victims, followed by Jordan, Israel, then Lebanon, as noted in the below table," Kaspersky says in its summary of the attack.

Image by Lana839

Brit hacker jailed for strapping ransomware to smut site ad networks


"The most targeted entities are embassies, government entities, education, media outlets, journalists, activists, political parties or personnel, healthcare and banking."

In addition to being a cheap and easy way to carry out the attack, Kaspersky researchers believe that the use of various scripts and methods of infecting victims, as well as using disposable email addresses, also helps the group hide its underlying infrastructure.

"All the stages’ executables are created as chains to avoid detection and protect the C2 server," Kaspersky notes.

"They consist mainly of persistence mechanisms and simple instructions despite their different forms (VBS scripts, PowerShell scripts, known software with open source code that can be backdoored, and in-house built dotnet apps)."

Those worried of attack should keep an eye out for the spear-phishing techniques used by the group to infiltrate companies. The report notes that the group focuses largely on political operations, so unsolicited or suspicious attachments that play on politics and global affairs should be handled with caution (or not at all). ®

More about


Send us news

Other stories you might like