The U.S. law enforcement agencies like the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD), have jointly issued a malware alert against a new strain of “Taidoor” malware. The FBI was very confident in stating that the new variant was introduced by Chinese state actors that are planning to attack various industries in the U.S. as a retaliation to the current geopolitical tension between the two nations.
- The Malware Analysis Report (MAR) has been jointly prepared by the CISA, FBI and DoD.
- The FBI is confident that Chinese state sponsored actors are behind this new variant of Taidoor malware.
- Four Taidoor samples have already been uploaded by the U.S. Cyber Command on Google’s VirusTotal repository.
- Threat actors are using this malware variant along with proxy servers to maintain access to the victims’ networks and carry further exploitation.
Taidoor was first sighted in 2008 and continues to be active to date. It has been largely used in cyber espionage campaigns across the globe, notably in countries like Taiwan, Japan, and the U.S. According to a FireEye report published in 2013, Taidoor malware is traditionally delivered as a spear-phishing email attachment. If opened, the Taidoor malware is dropped onto the target’s system, which then starts communicating with a command and control (C2) server. Taidoor connects to its C2 server using HTTP, and the “GET” request. This has been consistent since 2008.
However, the same study also stated that Taidoor is a constantly evolving and persistent malware threat. A tactical change was observed by the researchers in the years 2011-2012, when the malicious email attachments started dropping a “downloader,” which then installed the traditional Taidoor malware from over the Internet.
This however has further evolved, according to the Malware Analysis Report (MAR) shared by CISA. “Taidoor is now installed on a target’s system as a service dynamic link library (DLL) and is comprised of two files. The first file is a loader, which is started as a service. The loader decrypts the second file, and executes it in memory, which is the main Remote Access Trojan (RAT).”
|Threat type||Malware, Remote Access Trojan (RAT)|
|File Type||32-bit Windows DLL file|
|Number of .dll files used while installing the malware||Two (“ml.dll” is a Taidoor loader which decrypts and loads “svchost.dll” that is identified as Taidoor malware)|
Files used for spreading Malware
- 0d0ccfe7cd476e2e2498b854cef2e6f959df817e52924b3a8bcdae7a8faaa686 (svchost.dll)
- 363ea096a3f6d06d56dc97ff1618607d462f366139df70c88310bbf77b9f9f90 (svchost.dll)
- 4a0688baf9661d3737ee82f8992a0a665732c91704f28688f643115648c107d4 (ml.dll)
- 6e6d3a831c03b09d9e4a54859329fbfd428083f8f5bc5f27abbfdd9c47ec0e57 (rasautoex.dll)
Mitigation Measures Suggested by CISA
CISA and FBI have already informed the affected victims, but they are still uncertain about the exact number of users affected by Taidoor. It recommends the following mitigation measures:
- Conduct a regular review to determine if there is a security concern or compromise.
- Implement detection tools for detecting malicious activities.
- Additionally, customers and users of any IT service provider must:
- Review and verify all connections between their systems, service provider systems, and other client enclaves.
- Restrict access to service provider accounts in their environment only for appropriate purposes and disable them when not actively used.
- Check and maintain all system log file that could serve as a proof for investigation in case of an intrusion.