Posted on August 4, 2020 at 12:56 PM
US government agencies have exposed a new Chinese malware strain known as the Taidoor Trojan. The US government agencies said the malware strain has been operating since 2008 but hid carefully to avoid detection.
The three US government agencies include the Federal Bureau of Investigation (FBI), the Department of Defense’s Cyber Command (CyberCom), and the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS CISA).
Trojan linked with Chinese government hackers
They published the joint alert on Taidoor today. The Trojan has been used to carry out recent security breaches by the Chinese government hackers.
The three agencies recently started collaborations to release the joint report on their recent findings of the malware strain. They sent the first joint alert in February this year when they informed the public about six new malware strains the North Korean state-sponsored hackers developed.
Latest remote access Trojan developed by China
For the most recent joint alert, the three security agencies warned about the new malware strain known as Taidoor, being masterminded by the Chinese.
Based on the reports of the three US agencies, the new malware versions of 64- and 32-bit systems are usually installed on the systems of the victims as a service dynamic link library (DLL).
The DLL houses two other files
The agencies also said the DLL houses two other malicious files. The first file, starting as a service, is a loader. It decrypts the second file, executing it in the memory (that’s the Remote Access Trojan).
Thereafter, the Taidoor RAT is used to give access to Chinese hackers to infiltrated systems and steal data or deploy other malware. This is generally the main job or area where remote access trojans are deployed.
According to the FBI, Taidoor is usually deployed along with proxy servers to hide the true operational base of the malware’s operator.
Actors have been deploying Taidoor malware since 2008
Although the joint alert of the security agencies serves as information to the cyber-security world, the security agencies have confirmed that the malware has been existing for more than a decade. The United States Cyber Command pointed out that the malware has been used in the wild for the past twelve years. They said the malware has been infecting victims’ systems since 2008.
Taidoor initially operating in a different name
After the three organizations have sent out an alert regarding the malware, Nextron Systems’ malware analyst, Florian Roth, revealed he previously detected the activities of Taildoor since last year. However, it was operating as Taurus RAT. He likened the samples of Taidoor with that of Taurus RAT, pointing out that both are the same.
Today, the three agencies issued a joint Malware Analysis Report (MAR) containing the recommended mitigation methods. They also offered suggestions on response actions for businesses and organizations that are looking to prevent infections and improve detection methods. It’s also meant for already affected organizations that want to remove malware from their systems.
Four samples of the Taidoor malware have already been uploaded by the United States Cyber Command. The samples were uploaded on the VirusTotal portal. From there, independent malware analysts and cyber-security firms can download the files for additional analysis and get more clues about the malware and its operational methods.
The agencies as well as other cybersecurity firms have issued advice on the prevention of this malware and other similar malware. Since malware is a Trojan, the most effective way is to remain security conscious. They should get a two-factor authentication on their devices and apps to prevent the malware from scooping into their servers.