A Chinese state-backed hacking crew named Taidoor is deploying a custom remote access trojan (RAT) against Western organisations, according to US authorities.
Joint analysis by the US Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) reckoned that Taidoor's malware has been deployed onto target systems as a service DLL named svchost.dll.
Svchost is a regular Windows process; the trick of naming malicious files after legitimate ones to defy casual inspection is as old as the concept of malware itself.
Taidoor is said by the Americans to be sponsored by the Chinese government, with their aim being "to maintain a presence on victim networks and to further network exploitation".
Ben Read, a senior analyst at FireEye-owned Mandiant Threat Intelligence told The Register that the Taidoor malware had been "used extensively by multiple Chinese groups including APT 24 in the last 12 years," adding that "its use has declined in the past few years."
He continued: "These malware samples [from CISA] appear to be straightforward variants of Taidoor. Taidoor is a backdoor that can execute commands, exfiltrate information or download additional payloads onto a victim machine. We have also seen Taidoor attached to spearphishing emails. Some of the targets which Taidoor was used against include law firms, nuclear power suppliers, aerospace, governments in East Asia, defense industrial base and engineering firms.”
Joseph Carson, chief security scientist at infosec firm Thycotic, cast doubt on whether the malware itself was being operated today by the Chinese state. He said in a statement: "Since it has been around for almost 12 years it is very likely that several governments, organized cybercrime and mercenary criminal hackers have got hold of the malware and are also using it."
Carson added that the MITRE ATT&CK (adversarial tactics, techniques, and common knowledge) framework reference documentation details Taidoor as having been seen in the wild since 2009.
While the modern-day US CISA/FBI investigation went into some detail about how the latest strain functions, there was limited indication about how it spreads. One detail from the analysis stood out, however: "Taidoor does not have a function built into it that enables it to persist past a system reboot. It appears from the memory dump of the infected system, it was installed as a service DLL by some other means."
Curiously, there is little other trace of Taidoor in the public domain under that name except for some isolated mentions dating back to 2012 and 2013. Trend Micro published an analysis of the Taidoor malware's C2 traffic eight years ago, noting that it "primarily targeted government organisations located in Taiwan". The attack vector was the age-old tactic of using phishing attacks to trick targets into opening email attachments.
Similarly, in 2013 FireEye noted that Taidoor's operators were using Yahoo! Blogs posts to host an encrypted form of the malware, making it easier to evade blocks and takedowns of C2 domains. At the time a lure seen by FireEye researchers was a Microsoft Word document referring to trade negotiations between China and Taiwan. ®