Taidoor Strains seen again

Three agencies of the US government have published today a joint alert alerting US private entities about new versions of Taidoor, a malware family previously associated with Chinese state-sponsored hackers.

The three agencies have recently begun collaborating on releasing joint reports about new malware threats. The first joint alert was sent earlier this year, in February, when the three agencies warned about six new malware strains developed by North Korea’s state-sponsored hackers.

Named Taidoor, the three agencies say this malware has been used since 2008. Previous versions of this malware have been spotted in the wild in 2012 and 2013, respectively, and detailed in reports by NTT, FireEye, and Trend Micro, according to malware encyclopedia site Malpedia.

In their most recent alert, the three US government agencies say they’ve spotted Taidoor being used in new attacks. The new Taidoor samples have versions for 32- and 64-bit systems and are usually installed on a victim’s systems as a service dynamic link library (DLL), according to the joing alert.

This DLL file, in turn, contains two other files.

“The first file is a loader, which is started as a service. The loader decrypts the second file, and executes it in memory, which is the main Remote Access Trojan (RAT).”

The Taidoor RAT is then used to allow Chinese hackers to access infected systems and exfiltrate data or deploy other malware — the usual things for which remote access trojans are typically employed.

Taidoor is normally deployed together with proxy servers to hide the true point of origin of the malware’s operator.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s