Three agencies of the US government have published today a joint alert on Taidoor, a new strain of malware that has been used during recent security breaches by Chinese government hackers.
The alert has been authored by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA), the Department of Defense’s Cyber Command (CyberCom), and the Federal Bureau of Investigations (FBI).
The three agencies have recently begun collaborating on releasing joint reports about new malware threats. The first joint alert was sent earlier this year, in February, when the three agencies warned about six new malware strains developed by North Korea’s state-sponsored hackers.
Taidoor — new Chinese remote access trojan
Their most recent joint alert, however, warns about new Chinese malware.
Named Taidoor, according to the three agencies, this new malware has versions for 32- and 64-bit systems and is usually installed on a victim’s systems as a service dynamic link library (DLL).
This DLL contains two other files.
“The first file is a loader, which is started as a service. The loader decrypts the second file, and executes it in memory, which is the main Remote Access Trojan (RAT).”
The Taidoor RAT is then used to allow Chinese hackers to access infected systems and exfiltrate data or deploy other malware — the usual things for which remote access trojans are typically employed.
The FBI says Taidoor is normally deployed together with proxy servers to hide the true point of origin of the malware’s operator.
Taidoor has been used in the wild since 2008
While the joint alert introduces the cyber-security world to a new threat, in a tweet earlier today, US Cyber Command said the malware has been around and silently deployed on victim networks for at least 12 years, since 2008.
The three agencies have put out today a joint Malware Analysis Report (MAR) that contains recommended mitigation techniques and suggested response actions for organizations that want to improve detection, prevent infections, or have been infected already and need to remove the malware from their systems.
US Cyber Command has also uploaded four samples of the Taidoor malware on the VirusTotal portal [1, 2, 3, 4], from where cyber-security firms and independent malware analysts can download the files for further analysis and hunt for additional clues.
After the joint alert went out, Florian Roth, a malware analyst with Nextron Systems, said he has been previously detecting Taidoor samples, some dating as far back as March 2019, but under the name of Taurus RAT.