The US government Monday urged enterprise organizations to pay the "highest priority" attention to malicious activity involving "Taidoor," a Chinese remote access Trojan that has been used in various cyber-espionage campaigns since at least 2008.
In a Malware Analysis Report (MAR) dated August 3, the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) said that security researchers from multiple federal agencies had observed Chinese government actors using a variant of the malware in recent attacks.
An analysis of the activity shows that the attackers are using Taidoor variants in conjunction with proxy servers to maintain persistence on compromised networks and to enable further exploitation, according to the CISA. The CISA report included a complete list of indicators of compromise and suggested mitigation and response measures organizations can take to protect against the newly resurfaced threat.
"Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch)," the advisory noted. "Give the activity the highest priority for enhanced mitigation."
The CISA alert is the latest involving heighted threat activity from China-based actors. Just last month, the US government indicted two Chinese nationals on charges connected to the theft of intellectual property and business secrets, including COVID-19 research from organizations in the US and elsewhere. Earlier this year, the US government indicted four members of China's military for allegedly being involved in the Equifax hack of May 2017. The indictments follow years of US accusations about China-based actors conducting systematic and widespread espionage campaigns against US corporations, government agencies, military and defense entities, and academic institutions.
Taidoor is a malware tool that multiple security vendors — including FireEye, Trend Micro and Symantec — have reported on over the years. Researchers have observed the malware being used in cyber-espionage campaigns targeting corporate organizations, think tanks, and government agencies in Taiwan and other countries with interests in Taiwan, including the US.
A detailed Trend Micro technical analysis of the malware in 2012 described Taidoor at the time as exploiting a wide variety of old and new vulnerabilities — including zero-days in multiple products including Adobe Reader, Acrobat, Flash Player, Microsoft Word, PowerPoint, and Excel. One zero-day-vulnerability that Taidoor exploited was "Sandworm," a remote code execution flaw in Windows that was disclosed in 2014
In initial campaigns the China-based government actors behind Taidoor have used phishing emails with malicious attachments to distribute the malware. One of their tricks involved the use of a decoy document that would behave as a recipient might expect it to, while executing a malicious payload in the background. In later campaigns, the operators of Taidoor stopped using emails to drop the malware directly on a victim's system. Instead, they used the rogue emails to drop a downloader on a system that later would go out and grab the malware from a remote command and control servers. A September 2013 FireEye report described a further evolution in tactics where instead of hosting the malware in a remote command-and-control servers, the attackers began hosting it as encrypted text in Yahoo blog posts.
It is not entirely clear what specific malicious activity involving Taidoor triggered the new warning from CISA this week. So far, at least, none of the vendors that have previously tracked the malware have reported a resurgence in Taidoor activity.
A FireEye spokeswoman says researchers at the company are still looking into what might be going on.
"We've seen Taidoor used extensively over the last 10+ years, while it has become less common recently, we expect it is still in use," adds Ben Read, senior manager of analysis at FireEye's Mandiant Threat Intelligence group. According to Read, FireEye has observed the malware being used in attacks against law firms, nuclear power suppliers, airlines, East Asian governments, engineering firms, and organizations within the defense industrial sector.
Symantec did not immediately respond to a Dark Reading inquiry. Trend Micro says it is working on getting comments from its researchers in Asia and Europe.
Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.