China flag is depicted on the screen with the program code showing use of Taidoor malware attack for cyber espionage

US Government Agencies Issue Alert Over Taidoor Malware Attack in Chinese Cyber Espionage Campaigns

Three US government agencies issued a joint alert over a new Chinese malware strain targeting governments, corporations, and think tanks. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA), the Department of Defense’s Cyber Command (CyberCom), and the Federal Bureau of Investigations (FBI) authored the Malware Analysis Report (AR20-216A) describing the threat posed by the Taidoor malware attack.

The agencies claim that the new strain originated from Taidoor, a malware associated with Chinese state-sponsored threat actors. The malware exists in both 32- and 64-bit versions and is deployed as a remote access trojan (RAT) through DLL files. Although the virus was discovered back in 2008, use of Taidoor malware attacks in cyber espionage campaigns were only observed in the wild from 2012.

Indicators of Taidoor malware attack

New strains of Taidoor have both x86 and x64 versions. The malware is deployed on systems as a service dynamic link library (DLL) with two virus payloads. The first file (ml.dll) is a loader and is started as a service on the host system.  The loader executes in memory and utilizes a function named “MyStart” to decrypt the second file (svchost.dll), which is the main Remote Access Trojan (RAT) used in cyber espionage.

The FBI says that the malware is deployed with proxy servers to mask the command and control (C&C) servers contacted during cyber espionage activities. Research from FireEye indicates that the malware reads specific Yahoo blogs to extract an encrypted text containing the command-and-control server’s address.

The malware maintains a persistent presence on the host, giving Chinese hackers unfettered access to the system. The hackers can, therefore, wage cyber espionage campaign silently, without triggering users’ suspicion.

Matt Walmsley, EMEA Director at Vectra, points out the challenges posed by RATs, such as Taidoor.

“Remote Access Trojans (RATs) are an insidious set of attacker tools that invade our systems, data, and privacy. With so much legitimate remote access happening across our networks and hosts, there’s plenty of opportunities for RATs to operate undiscovered for extended periods as they hide in plain sight. They are a particularly useful tool for nation state-level threat actors who want to perform extended reconnaissance and maintain a point of persistence inside target organizations. That certainly seems to be the case here with activity being linked back to China from 2008.”

The hackers exploit the Taidoor RAT to exfiltrate data, run commands, and download additional malware to the system. A Taidoor malware attack also collects system data and captures screenshots.

To conduct cyber espionage campaigns, the Taidoor malware exploits CVE-2009-3129, CVE-2009-4324, CVE-2010-1297, CVE-2010-2883, CVE-2011-0611, CVE-2011-1269, and CVE-2012-0158 vulnerabilities.

Cyber espionage operations

Trend Micro designates the Taidoor RAT as BKDR_SIMBOT and has identified various attacks employing the RAT as early as 2010. The operations primarily target government agencies in Taiwan or governments and agencies interested in Taiwan. A typical Taidoor malware attack involves sending email attachments to deliver and install SIMBOT malware with RATs functionalities.

NTT also found a cyber espionage campaign against Japanese organizations exploiting Microsoft word document features.

FireEye has observed Taidoor malware since 2008. The firm notes that cyber espionage practices involving Taidoor malware underwent significant changes in 2013. However, a typical Taidoor malware attack never installs the malware directly on the system. Users are tricked into opening infected email attachments. While the malware is installing on the system, a decoy document is opened to allay any suspicions the user might have.

The latest threat emerged at a time when US agencies are accusing Chinese hackers of conducting cyber espionage campaigns to steal trade secrets from firms developing the COVID-19 vaccine.

Joseph Carson, the Chief Security Scientist & Advisory CISO for Thycotic, doubts that China is the only threat actor utilizing the malware.

“Absolutely, it is highly likely that the origin of Taidoor malware is from China. However, since it has been around for almost twelve years, it is very likely that several governments, organized cybercrime, and mercenary criminal hackers have got hold of the malware and are also using it.”

Defense mechanisms against a Taidoor malware attack

The US Cyber Command uploaded four Taidoor malware samples on the VirusTotal web portal to allow independent researchers to carry out further investigations.

The three agencies also advised users to update and patch up their operating systems, use strong passwords, and avoid opening suspicious email attachments. Disabling file and printer sharing or using strong passwords and active directory credentials to secure them is recommended. Activating firewalls can also block requests to suspicious endpoints, thus disrupting the cyber espionage campaigns.