Intelligence agencies in the US have released information about a new variant of 12-year-old computer virus used by China’s state-sponsored hackers targeting governments, corporations, and think tanks.

Named “Taidoor,” the malware has done an ‘excellent’ job of compromising systems as early as 2008, with the actors deploying it on victim networks for stealthy remote access.

“[The] FBI has high confidence that Chinese government actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation,” the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) said in a joint advisory.

The US Cyber Command has also uploaded four samples of the Taidoor RAT on the public malware repository VirusTotal to let 50+ Antivirus companies check the virus’s involvement in other unattributed campaigns.

However, the malware itself is not new. In an analysis by Trend Micro researchers in 2012, the actors behind Taidoor were found to leverage socially engineered emails with malicious PDF attachments to target the Taiwanese government.

Calling it a “constantly evolving, persistent threat,” FireEye noted significant changes in its tactics in 2013, wherein “the malicious email attachments did not drop the Taidoor malware directly, but instead dropped a ‘downloader’ that then grabbed the traditional Taidoor malware from the Internet.”

Then last year, NTT Security uncovered evidence of the backdoor being used against Japanese organizations via Microsoft Word documents. When opened, it executes the malware to establish communication with an attacker-controlled server and run arbitrary commands.

According to the latest advisory, this technique of using decoy documents containing malicious content attached to spear-phishing emails hasn’t changed.

The US Cyber Command has also uploaded four samples of the Taidoor RAT on the public malware repository VirusTotal to let 50+ Antivirus companies check the virus’s involvement in other unattributed campaigns.

However, the malware itself is not new. In an analysis by Trend Micro researchers in 2012, the actors behind Taidoor were found to leverage socially engineered emails with malicious PDF attachments to target the Taiwanese government.

Calling it a “constantly evolving, persistent threat,” FireEye noted significant changes in its tactics in 2013, wherein “the malicious email attachments did not drop the Taidoor malware directly, but instead dropped a ‘downloader’ that then grabbed the traditional Taidoor malware from the Internet.”

Then last year, NTT Security uncovered evidence of the backdoor being used against Japanese organizations via Microsoft Word documents. When opened, it executes the malware to establish communication with an attacker-controlled server and run arbitrary commands.

According to the latest advisory, this technique of using decoy documents containing malicious content attached to spear-phishing emails hasn’t changed

Leave a Comment