Intelligence agencies within the US have released information a few new variant of 12-year-old bug employed by China's state-sponsored hackers targeting governments, corporations, and think tanks.
Named "Taidoor," the malware has done an 'excellent' job of compromising systems as early as 2008, with the actors deploying it on victim networks for stealthy remote access.
"[The] FBI has high confidence that Chinese government actors are using malware variants in conjunction with proxy servers to take care of a presence on victim networks and to further network exploitation," the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and therefore the Department of Defense (DoD) said during a joint advisory.
The US Cyber Command has also uploaded four samples of the Taidoor RAT on the general public malware repository VirusTotal to let 50+ Antivirus companies check the virus's involvement in other unattributed campaigns.
However, the malware itself isn't new. In an analysis by Trend Micro researchers in 2012, the actors behind Taidoor were found to leverage socially engineered emails with malicious PDF attachments to focus on the Taiwanese government.
Calling it a "constantly evolving, persistent threat," FireEye noted significant changes in its tactics in 2013, wherein "the malicious email attachments didn't drop the Taidoor malware directly, but instead dropped a 'downloader' that then grabbed the normal Taidoor malware from the web ."
Then last year, NTT Security uncovered evidence of the backdoor getting used against Japanese organizations via Microsoft Word documents. When opened, it executes the malware to determine communication with an attacker-controlled server and run arbitrary commands.
According to the newest advisory, this system of using decoy documents containing malicious content attached to spear-phishing emails hasn't changed.
"Taidoor is installed on a target's system as a service dynamic link library (DLL) and is comprised of two files," the agencies said. "The first file may be a loader, which is started as a service. The loader (ml.dll) decrypts the second file (svchost.dll), and executes it in memory, which is that the main Remote Access Trojan (RAT)."
In addition to executing remote commands, Taidoor comes with features that allow it to gather filing system data, capture screenshots, and perform file operations necessary to exfiltrate the gathered information.
CISA recommends that users and administrators keep their OS patches up-to-date, disable File and Printer sharing services, enforce a robust password policy, and exercise caution when opening email attachments.
You can find the full list of best practices here.
Found this article interesting? Follow crime.me on Facebook, Twitter and Instagram to read more exclusive content we post.
NEWS SOURCE: THE HACKER NEWS button
Post a Comment