Taidoor - A new Variant of a 12-year old R.A.T
Earlier this week in one of my LinkedIn posts I shared an alert which I received from my sources regarding and alert from US Intelligence Agencies, which informed us about a new variant of 12-year-old computer Remote Access Trojan (RAT) used by China's state-sponsored hackers which target governments, corporations, and think tanks.
Named Tiadoor, this virus/malware, is reported to have done an 'excellent' job of compromising systems since 2008, with the actors deploying it on victim networks for stealthy remote access. The US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) said in a joint advisory, that they have "high confidence that Chinese government actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to conduct further network exploitation."
Samples of this Malware/RAT have been shared with 50+ antivirus companies to check if this malware has been utilised in unattributed attacks... This is a persistent and evolving threat - a detailed report will be published a little later today!
How it works
In previous iterations of this malware, the actors behind Taidoor were found to leverage socially engineered emails with malicious PDF attachments to target the Taiwanese government, while in later iterations the malicious email attachments did not drop the Taidoor malware directly, but instead dropped a 'downloader' that then grabbed the traditional Taidoor malware from the Internet.
Then last year, NTT Security uncovered evidence of the backdoor being used against Japanese organizations via Microsoft Word documents, which were attached to emails. When opened, the malware is then executed to establish communication with the attacker-controlled server and run arbitrary commands.
According to the latest advisory, this technique of using decoy documents containing malicious content attached to spear-phishing emails hasn't changed.
What does it do?
In addition to executing remote commands, Taidoor comes with features that allow it to collect file system data, capture screenshots, and carry out file operations necessary to exfiltrate the gathered information.
How to Protect yourself
Firstly it is important to learn how not to fall victim to phishing and spear-phishing campaigns...
- Always be suspicious. Phishing emails try to freak you out with warnings of stolen information or worse, and then offer an easy fix if you just "click here." (Or the opposite: "You've won a prize! Click here to claim it!") When in doubt, don't click. Instead, open your browser, go to the company's website, then sign in normally to see if there are any signs of strange activity. If you're concerned, change your password.
- Check for bad spelling and grammar. Most of the missives that come from outside the US are riddled with spelling mistakes and bad grammar. As I noted earlier, big companies hire professionals to make sure their emails contain perfect prose. If you're looking at one that doesn't, it's almost certainly a fake.
- Beef up your browser. An accidental click of a phishing link doesn't have to spell disaster if you have security on your browser, it will warn you and possibly block you from landing on a malicious website.
- Check the email sender's address - is it really from the company or person it alleges to be from?
It's also recommended that users and administrators
- Keep their operating system patches up-to-date,
- Disable File and Printer sharing services,
- Enforce a strong password policy
- Exercise caution when opening email attachments.