DHS Urges Highest Priority Attention on Old Chinese Malware Threat

  /     /     /  
Publicated : 23/11/2024   Category : security


DHS Urges Highest Priority Attention on Old Chinese Malware Threat


Taidoor is a remote access tool that has been used in numerous cyber espionage campaigns since at least 2008.



The US government Monday urged enterprise organizations to pay the highest priority attention to malicious activity involving Taidoor, a Chinese remote access Trojan that has been used in various cyber-espionage campaigns since at least 2008.
In a Malware Analysis Report (MAR) dated August 3, the US Department of Homeland Securitys Cybersecurity and Infrastructure Security Agency (CISA) said that security researchers from multiple federal agencies had observed Chinese government actors using a variant of the malware in recent attacks.
An analysis of the activity shows that the attackers are using Taidoor variants in conjunction with proxy servers to maintain persistence on compromised networks and to enable further exploitation, according to the CISA. The
CISA report
included a complete list of indicators of compromise and suggested mitigation and response measures organizations can take to protect against the newly resurfaced threat.
Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), the advisory noted. Give the activity the highest priority for enhanced mitigation.
The CISA alert is the latest involving heighted threat activity from China-based actors. Just last month, the US government indicted two Chinese nationals on charges connected to the theft of intellectual property and business secrets, including COVID-19 research from organizations in the US and elsewhere. Earlier this year, the US government indicted four members of Chinas military for allegedly being involved in the Equifax hack of May 2017. The indictments follow years of US accusations about China-based actors conducting systematic and widespread espionage campaigns against US corporations, government agencies, military and defense entities, and academic institutions.
Taidoor is a malware tool that multiple security vendors — including FireEye, Trend Micro and Symantec — have reported on over the years. Researchers have observed the malware being used in cyber-espionage campaigns targeting corporate organizations, think tanks, and government agencies in Taiwan and other countries with interests in Taiwan, including the US.
Substantial Threat
A detailed Trend Micro
technical analysis
of the malware in 2012 described Taidoor at the time as exploiting a wide variety of old and new vulnerabilities — including zero-days in multiple products including Adobe Reader, Acrobat, Flash Player, Microsoft Word, PowerPoint, and Excel. One zero-day-vulnerability that Taidoor exploited was Sandworm, a remote code execution flaw in Windows that was disclosed in 2014
In initial campaigns the China-based government actors behind Taidoor have used phishing emails with malicious attachments to distribute the malware. One of their tricks involved the use of a decoy document that would behave as a recipient might expect it to, while executing a malicious payload in the background. In later campaigns, the operators of Taidoor stopped using emails to drop the malware directly on a victims system. Instead, they used the rogue emails to drop a downloader on a system that later would go out and grab the malware from a remote command and control servers. A September 2013
FireEye report
described a further evolution in tactics where instead of hosting the malware in a remote command-and-control servers, the attackers began hosting it as encrypted text in Yahoo blog posts.
It is not entirely clear what specific malicious activity involving Taidoor triggered the new warning from CISA this week. So far, at least, none of the vendors that have previously tracked the malware have reported a resurgence in Taidoor activity.
A FireEye spokeswoman says researchers at the company are still looking into what might be going on.
Weve seen Taidoor used extensively over the last 10+ years, while it has become less common recently, we expect it is still in use, adds Ben Read, senior manager of analysis at FireEyes Mandiant Threat Intelligence group. According to Read, FireEye has observed the malware being used in attacks against law firms, nuclear power suppliers, airlines, East Asian governments, engineering firms, and organizations within the defense industrial sector.
Symantec did not immediately respond to a Dark Reading inquiry. Trend Micro says it is working on getting comments from its researchers in Asia and Europe.
Related Content:
Attacks On Patched Sandworm Flaw Force Microsoft To Issue Fix It
US Indicts 2 Chinese Nationals for Stealing IP & Business Secrets, Including COVID-19 Research
Chinas Military Behind 2017 Equifax Breach: DoJ
US DoJ Indicts Chinese Man for Anthem Breach
11 Security Tools to Expect at the Black Hat USA 2020 Arsenal Virtual Event
 
 
Register now for this years fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on
conference information
 and
to register
.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
DHS Urges Highest Priority Attention on Old Chinese Malware Threat