US government reports Chinese RAT Taidoor that was used since 2008

Chinese government-sponsored hackers used remote access trojan in espionage campaigns against corporations and governments

Remote Access Trojan hase been used since 2008. The U.S government released the advisory^[1] stating about the malware strain actively used by Chinese state cyber actors.^[2] The FBI published an official statement in which the Cybersecurity and Infrastructure Security Agency and the Department of Defense made a joint report about a 12-year-old Chinese government-related computer malware.^[3]

Even though the malware itself is not new, it is constantly evolving and becoming more and more persistent, so a few samples got reported and analyzed.^[4]

Despite being around for a long time – and quite well known – Taidoor is a constantly evolving, persistent threat. We observed significant tactical changes in 2011 and 2012, when the malicious email attachments did not drop the Taidoor malware directly, but instead dropped a “downloader” that then grabbed the traditional Taidoor malware from the Internet.

Malware named Taidoor is the trojan that can compromise the system, so the attacker remotely gets the access and controls the network. Three agencies stated that new versions of Taidor got used to hack servers or networks to exploit those systems further and possibly exfiltrate sensitive data.

Differences between “traditional” and new Taidoor malware

It is known that typical Taidoor malware is delivered as common trojans – via email attachments with malicious components. When the file is opened, the payload of the virus gets dropped onto the targeted system and malware starts the connection to its C&C server using the HTTP. This request is the same since 2008, as researchers find the same GET pattern.

Past APT malware^[5] campaigns used various hosting platforms to transmit information from the C&C server to compromised targets. Taidoor Trojan also relies on this model. Never samples show that once the infected file is opened, malware exploits the flaw in Microsoft Office and drops the main payload on the computer.

The malware shows typical downloader traits. Such a virus connects to Yahoo Blog and downloads the contents of the blog post instead of connecting to the C&C server directly. These newer versions show differences because the network traffic is modified from the initial trojan release.

Spreading methods of the Chinese state-sponsored trojan

The use of malicious macros in Word files and other pieces of Microsoft Office documents, there are some details about new versions using Windows ScreenSqver file. This .scr file poses as a PDF or a Word document. These files get attached to spear-phishing emails. This is not changed for at least 12-years for this RAt and is commonly used by ransomware and trojan malware nowadays.

Taidoor is installed on a target's system as a service dynamic link library (DLL) and is comprised of two files. The first file is a loader, which is started as a service. The loader (ml.dll) decrypts the second file (svchost.dll), and executes it in memory, which is the main Remote Access Trojan (RAT).

Unfortunately, Taidoor Remote Access Trojan can collect data about the system files directly from the device, take screenshots, trigger operations, and exfiltrate more information. CISA has recommendations for users and administrators. Chinese government cyber threats and actors exploit various flaws to get sensitive information. So organizations should:

• maintain security with up-to-date tools;
• keep patching OSs;
• disable sharing services;
• use strong passwords;
• restrict users' ability to install and run applications;
• enforce regular password changes;
• exercise caution when it comes to suspicious emails;
• enable the personal firewall on agency workstations;
• disable anything that is unnecessary;
• scan and remove suspicious email attachments;
• monitor web browsing habits;
• restrict particular sites;
• scan software downloaded from the internet;
• maintain situational awareness of the latest threats.