Recent disclosures from US intelligence agencies reveal an alarming resurgence of a 12-year-old strain of malware, known as “Taidoor.” This variant is believed to be employed by state-sponsored actors from China, targeting a wide array of institutions, including government bodies, corporations, and think tanks. The malware, which has been active since at least 2008, is adept at infiltrating systems and facilitating covert remote access for its operators.
According to a joint advisory by the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Department of Defense (DoD), there is strong confidence that Chinese governmental entities are utilizing various malware adaptations alongside proxy servers to sustain their presence in compromised networks, thereby enabling further exploitation.
The US Cyber Command has taken proactive measures by uploading four samples of the Taidoor Remote Access Trojan (RAT) to VirusTotal, a well-known malware repository, allowing over fifty antivirus companies to assess its role in other unspecified cyber campaigns. It is crucial to note that while Taidoor itself is not a new threat, its evolution demonstrates a persistent danger. In a thorough analysis conducted by Trend Micro in 2012, it was determined that the actors behind Taidoor employed social engineering tactics, utilizing malicious PDFs to target Taiwanese governmental entities.
FireEye characterized Taidoor as a “constantly evolving, persistent threat,” noting significant shifts in its operational tactics by 2013. Initially, malware was delivered directly via email attachments; however, later strategies involved the use of a downloader, which facilitated the acquisition of Taidoor from the internet. More recently, NTT Security reported its use in attacks against Japanese organizations through compromised Microsoft Word documents. When these documents are opened, they activate the malware, establishing communication with an attacker-controlled server, thus allowing the execution of arbitrary commands.
The advisory emphasizes that the methods of employing decoy documents with embedded malicious content in spear-phishing emails remain unchanged. Taidoor infiltrates target systems using a service dynamic link library (DLL) setup, comprising two distinct files. The first file, a loader, is initiated as a service and subsequently decrypts a second file, which serves as the primary RAT.
Beyond executing remote commands, Taidoor is equipped with functionalities that enable it to collect file system data, capture screenshots, and perform essential file operations to exfiltrate stolen information. In light of these capabilities, CISA recommends that users and administrators maintain up-to-date operating system patches, disable file and printer sharing services, enforce stringent password policies, and exercise caution when interacting with email attachments.
This situation underscores multiple adversary tactics as outlined in the MITRE ATT&CK Matrix, including initial access through phishing, persistence via establishing services, and potential privilege escalation techniques to gain elevated access to system resources. The overall implications for cybersecurity necessitate a proactive and vigilant approach among business owners to safeguard against such sophisticated threats. For a comprehensive list of best practices to mitigate these risks, refer to the CISA advisory.
