US Intelligence agencies expose new Chinese operated malware known as Taidoor that uses Remote Access Trojan
The US Intelligence agencies namely the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA), the Department of Defense’s Cyber Command (CyberCom), and the Federal Bureau of Investigations (FBI) have identified a malware variant used by Chinese government cyber actors, which is known as TAIDOOR. Taidoor malware has been used in many ongoing cyber-espionage campaigns. Its victims include government agencies, corporate entities, and think tanks, especially those with interests in Taiwan.
In a typical attack, targets receive a spear-phishing email that encourages them to open an attached file. If opened on a vulnerable system, malware is silently installed on the target’s computer while a decoy document with legitimate content is opened that is intended to alleviate any suspicions the target may have. Taidoor has been successfully compromising targets since 2008 and continues to be active today.
“[The] FBI has high confidence that Chinese government actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation,” the three agencies said.
As the research got further the US Cyber Command uploaded four samples of the Taidoor RAT on the public malware repository VirusTotal. The main aim to make it public was to let 50+ Antivirus companies check the virus’s involvement in other unattributed campaigns.
The research also believes that the malware strain used is the same as analyzed by Trend Micro researchers in 2012, where the actors behind Taidoor were found to leverage socially engineered emails with malicious PDF attachments to target the Taiwanese government.
According to the agencies, the new Taidoor samples have versions for 32- and 64-bit systems and are usually installed on a victim’s systems as a service dynamic link library (DLL), and is comprised of two files. The first file is a loader, which is started as a service. The loader decrypts the second file, and executes it in memory, which is the main Remote Access Trojan (RAT), the report adds.
In addition to executing remote commands, Taidoor comes with features that allow it to collect file system data, capture screenshots, and carry out file operations necessary to exfiltrate the gathered information.
As an advisory, the agencies have recommended that users and administrators keep their operating system patches up-to-date, disable File and Printer sharing services, enforce a strong password policy, and exercise caution when opening email attachments.
For more news on tech and cybersecurity stay tuned on Android Rookies by subscribing to our newsletter from here.