Taidoor: The new Chinese remote access Trojan malware

Three U.S. government agencies issued an alert related to the release of new versions of Taidoor, a variant of malware linked to attacks deployed by China’s government-sponsored threat actors. The alert was issued by the Cybersecurity and Infrastructure Security Agency (CISA), in conjunction with the Department of Defense Cyber Command (CyberCom) and the Federal Bureau of Investigation (FBI)

For a few months now these three agencies have published multiple reports on the most dangerous security threats and malware attacks affecting public and private organizations in the United States. The first notification, released in February 2020, concerned six new ransomware families developed by North Korean hackers.

Esta imagen tiene un atributo ALT vacío; su nombre de archivo es taidoor.jpg
SOURCE: CISA

Regarding Taidoor, these agencies claim that malware has existed since 2008, although new versions and updates are constantly being created. The latest detected versions date back to 2013, when signatures such as FireEye and Trend Micro began detecting the presence of malware in multiple incidents; other researchers have dubbed this malware Taurus RAT.

Investigators have detected the presence of Taidoor in recent attacks. Apparently, the new malware samples include versions for 32-bit and 64-bit systems and are installed on the systems of attacked users in DLL form. In turn, the DLL contains two additional files: “The first file is a loader, started as a service. This loader decrypts the second file and runs it in the target system’s memory,” the alert mentions.

Once the execution is complete, threat actors will be able to access compromised systems and extract sensitive data, install other malware variants, among other attacks. The FBI ensures that the malware is deployed along with proxy servers to run its actual origin.

The alert issued by these agencies also includes some tips for mitigating attacks and incident response protocols in case the malware succeeds in running on the victims’ systems. Some Taidoor samples are also available on the VirusTotal platform, so researchers will be able to learn some features of this new threat.