The U.S. government has exposed another set of malware tools used by attackers associated with the Chinese government, this time a remote access trojan that the group has been using to maintain persistence on target networks since 2008.
The RAT is known as Taidoor and the Department of Homeland Security‘s Cybersecurity and Infrastructure Security Agency on Monday published a detailed analysis of the malware, which includes both x86 and x64 versions. Attackers connected to the Chinese government have been using the Taidoor malware, along with proxy servers, against organizations in the U.S., the advisory says.
Taidoor is a two-stage tool, with the initial portion being a loader that is designed to download, decrypt, and install the actual RAT portion of the malware. The malware uses a simple encryption scheme and once the RAT is decrypted, it begins the process of looking for some specific files on the machine and establishing communications with its C2 server. The initial infection vector for Taidoor isn’t clear.
“After completing this decryption function Taidoor iterates through the System Event Log. Looking specifically for event IDs 6005 (event service started) and 6006 (event service stopped). After completing its decryption functions, Taidoor tries to connect to its C2 server. Once Taidoor and the C2 server finish the TCP handshake, Taidoor waits for at least one byte of data to be sent from the C2 server. This byte or bytes are not checked by Taidoo, anything can be sent,” the advisory says.
“After Taidoor has confirmed it has received at least one byte of data from the server, Taidoor sends a custom formatted packet over port 443. Note: this packet does not follow TLS protocol, and is easily identifiable. The initial packet sent from Taidoor to the C2 server in this case always starts with “F::” followed by the encryption key that Taidoor, and the C2 server will use to encrypt all following communications.”
CISA’s advisory does not specify what types of organizations the Taidoor malware has been used against, but attackers affiliated with the Chinese government have targeted a wide range of enterprises, service providers, IT companies, and research organizations in recent years. There are several separate groups with distinct techniques, targets, and malware tools that are associated with China’s government, and CISA did not specify which of those groups has been seen using Taidoor.
The U.S. Cyber Command uploaded samples of Taidoor to VirusTotal on Monday.
The U.S. government has been tracking offensive cyber activity by the Chinese government and intelligence agencies for many years and in the last couple of years has been exposing operations and specific malware samples. The FBI and Department of Justice also closely track this activity and in May the FBI issued an advisory warning of attacks against organizations involved in COVID-19 research.
“The FBI is investigating the targeting and compromise of U.S. organizations conducting COVID-19-related research by PRC-affiliated cyber actors and non-traditional collectors. These actors have been observed attempting to identify and illicitly obtain valuable intellectual property (IP) and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research,” that warning said.