CISA Alerts of More Cyberattacks by Chinese Nation State Attackers that Employ the Taidoor RAT

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) published a high priority advisory to warn businesses of the threat of cyberattacks that use the Taidoor malware, which is a remote access Trojan (RAT) that the Chinese government use in cyber espionage activities.

Taidoor was first of all found in 2008 and was utilized in several attacks on businesses. The notification was released after the FBI, the Department of Defense (DoD) and CISA found another Taidoor RAT variant that is being employed in attacks on U.S. businesses. Solid information was identified implying that threat actors employed by the Chinese government are utilizing the Taidoor RAT.

CISA stated in the notification that the threat actors are utilizing the malware jointly with proxy servers to disguise their location and obtain persistent access to the systems of victims and for even more network exploitation.

There are two versions of the malware identified that are being utilized to target 64-bit and 32-bit systems. Taidoor is saved onto the victims’ systems just like a service dynamic link library (DLL) and has two files: The first file is a loader that begins as a service, that decrypts and executes a second file in the memory. The number 2 file is the chief Taidoor Remote Access Trojan (RAT). The Taidoor RAT permits the attackers to have persistent access to organization networks and permits data exfiltration and the download of other malware.

CISA has released a Malware Analysis Report that comprises proven indicators of compromise (IoCs), proposed mitigations, and endorsed actions that may increase safety against Taidoor malware attacks. In the event of an attack, victims must prioritize the activity for better mitigation. Additionally, the attack must be reported to the FBI Cyber Watch or CISA.

CISA suggested that administrators do the following steps:

  • having up-to-date antivirus signatures
  • patching operating systems and applications
  • turning off file and printer sharing (or making use of strong usernames and passwords in case file and printer sharing is necessary)
  • restricting the usage of administrator privileges
  • exercising care if opening file attachments
  • adopting a strong password guideline
  • enabling firewalls on all work stations to refuse unsolicited connection requests
  • deactivating unneeded services on workstations
  • checking users’ net browsing patterns
  • monitoring all software obtained online prior to execution

The IOCs, mitigations, and suggestions are available here.

The malware alert comes after a joint alert given by CISA and the FBI in May concerning initiatives by Chinese hackers to get access to the [systems of businesses engaged in COVID-19 research and vaccine creation to take intellectual property and public health information. The agencies have noticed a rise in attacks spreading malware masked as information on COVID-19 and spear-phishing attacks utilizing COVID-19 themes baits. In July, the Department of Justice declared that two Chinese cybercriminals were indicted for hacking U.S. healthcare companies, government institutions, medical research bodies, and other entities.