CISA, DOD, FBI expose new versions of Chinese malware strain named Taidoor

US government agencies say the Taidoor remote access trojan (RAT) has been used as far back as 2008.
Written by Catalin Cimpanu, Contributor
Image: ZDNet

Three agencies of the US government have published today a joint alert alerting US private entities about new versions of Taidoor, a malware family previously associated with Chinese state-sponsored hackers.

The alert has been authored by the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (DHS CISA), the Department of Defense's Cyber Command (CyberCom), and the Federal Bureau of Investigations (FBI).

The three agencies have recently begun collaborating on releasing joint reports about new malware threats. The first joint alert was sent earlier this year, in February, when the three agencies warned about six new malware strains developed by North Korea's state-sponsored hackers.

Their most recent joint alert, however, warns about new Chinese malware.

Taidoor -- a Chinese remote access trojan

Named Taidoor, the three agencies say this malware has been used since 2008. Previous versions of this malware have been spotted in the wild in 2012 and 2013, respectively, and detailed in reports by NTT, FireEye, and Trend Micro, according to malware encyclopedia site Malpedia.

According to Florian Roth, a malware analyst with Nextron Systems, another name for this malware the Taurus RAT.

In their most recent alert, the three US government agencies say they've spotted Taidoor being used in new attacks. The new Taidoor samples have versions for 32- and 64-bit systems and are usually installed on a victim's systems as a service dynamic link library (DLL), according to the joing alert.

This DLL file, in turn, contains two other files.

"The first file is a loader, which is started as a service. The loader decrypts the second file, and executes it in memory, which is the main Remote Access Trojan (RAT)."

The Taidoor RAT is then used to allow Chinese hackers to access infected systems and exfiltrate data or deploy other malware -- the usual things for which remote access trojans are typically employed.

The FBI says Taidoor is normally deployed together with proxy servers to hide the true point of origin of the malware's operator.

The three agencies have put out today a joint Malware Analysis Report (MAR) that contains recommended mitigation techniques and suggested response actions for organizations that want to improve detection, prevent infections, or have been infected already and need to remove the malware from their systems.

US Cyber Command has also uploaded four samples of the Taidoor malware on the VirusTotal portal [1, 2, 3, 4], from where cyber-security firms and independent malware analysts can download the files for further analysis and hunt for additional clues.

The world's most famous and dangerous APT (state-developed) malware

Editorial standards