Recently, there have been recorded attacks by Chinese state-sponsored hackers on US companies utilizing the older malware strain “TAIDOOR”. TAIDOOR is a known remote access trojan or RAT, allowing attackers to maintain a presence in a victim’s environment.

With tensions between the US and China ramping up over the course of the last year, the amount of Chinese state-sponsored attacks has been rising. Due to the increased amount of attacks, organizations can find themselves falling victim to even some of the more aging versions of malware such as TAIDOOR.

The most common vectors for TAIDOOR to infiltrate a network seems to be through malicious payloads hidden in emails. These emails usually have a spoofed address, vague subject line, or an email body that lures the victim to open the attachments or click a malicious link. Once the payload has found its way onto a victim machine, TAIDOOR is loaded and decrypted by “ml.dll” a malicious dynamic-link library (.dll). This is immediately followed by the RAT making multiple API calls to further load data link libraries that it will use to establish the remote access.

“(The) FBI has high confidence Chinese government actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation.” – us-cert.cisa.gov

The US Cyber Command has been identifying and releasing known MD5 and SHA-1 hashes of the TAIDOOR RAT in efforts to diminish US companies’ exposure. Further efforts go as far as decoding the malware and creating collaborative malware analysis reports.

While this strain of malware is older, it is still being utilized against unprotected environments due to the ease of access that phishing campaigns provide. With this being a popular vector of many Advanced Persistent Threats (APTs) and common Threat Actors, there are some actions companies can take to prevent an intrusion.

  • Add the MD5 and SHA1 hashes to your prevention policies
  • Keep operating system patches up to date
  • Review incoming emails and suspicious application whitelists
  • Utilize proper Access Control Lists (ACLs) to block C2 reach out
  • Disable local administrator privileges for users

Source:

https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a

Our proprietary tool, ShadowSpear® and elite cybersecurity engineers work around the clock for you, and stop attacks immediately before destroying your environment. Learn more about ShadowSpear® before becoming a victim of a cyberattack. Email [email protected] to speak with a cybersecurity professional. Speartip.com has more information on why we do what we do.

24/7 Breach Response: 833.997.7327