CISA Alerts of Increased Cyberattacks by Chinese Nation State Threat Groups that Use the Taidoor RAT

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) issued a high priority notification to warn companies of the danger of cyberattacks using the Taidoor malware, which is a remote access Trojan (RAT) that the Chinese authorities employ in cyber-surveillance strategies.

Taidoor was initially discovered in 2008 and was employed in numerous attacks on companies. The advisory was given after the FBI, CISA, and the Department of Defense (DoD) discovered a new Taidoor RAT variant that is being utilized in attacks on American companies. The solid proof was discovered indicating that attackers doing work for the Chinese government are using the Taidoor RAT.

CISA pointed out in the advisory that the attackers are employing the malware along with proxy servers to conceal their position and get persistent access to the networks of victims and for more system exploitation.

There are two variants of the malware discovered that are being employed for targeting 32-bit and 64-bit systems. Taidoor is installed in the victims’ systems like a service dynamic link library (DLL) and includes two files: One file is a loader that starts as a service, that decrypts and completes another file in the memory. The second file is the principal Taidoor Remote Access Trojan (RAT). Taidoor RAT allows the attackers to get persistent access to business systems and enables data exfiltration and the installation of other malware.

CISA has shared a Malware Analysis Report that consists of verified indicators of compromise (IoCs), recommended mitigations, and suggested actions that could enhance security against Taidoor malware attacks. In case of an attack, victims need to prioritize the attack for improved mitigation. Also, the attack ought to be reported to either CISA or FBI Cyber Watch.

CISA proposed that administrators do the following measures:

  1. retaining updated antivirus signatures
  2. patching operating systems and software program
  3. deactivating file and printer sharing (or utilizing strong security passwords when file and printer sharing is required)
  4. limiting the use of admin privileges
  5. practicing caution whenever opening email attachments
  6. enforcing a strong password rule
  7. having firewalls on all work stations to reject unwanted connection requests
  8. turning off unwanted services on workstations
  9. keeping track of users’ internet browsing practices
  10. checking all software downloaded from the web before execution

The IOCs, mitigations, and advice are accessible here.

The malware caution comes after a joint advisory released by the FBI and CISA in May regarding efforts by Chinese attackers to obtain access to the [systems of companies concerned with COVID-19 research and vaccine development to steal intellectual property and public health records. The agencies have seen a growth in attacks propagating malware disguised as developments on COVID-19 and spear-phishing attacks employing COVID-19 themes lures. In July, the Department of Justice proclaimed that two Chinese attackers were indicted for cracking American healthcare organizations, government agencies, medical research organizations, and other targets.