Taidoor Malware – Always Repurposed

August 11, 2020
Taidoor Malware chinese government backed hackers antimalware

We will talk about malware that has undergone a series of modifications to stay relevant. With the collaborative effort of Cybersecurity experts from US CISA, the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD), they were able to submit their concluded report for a repurposed malware that is being used by Chinese government-backed perpetrators. The malware was named Taidoor that has been circulating since 2008. It underwent many updates to catch up with the current events.

According to the report, the intrusion was done through spear-phishing email penetration wherein it was sent to the targeted victim. The malware is loaded through an attachment either by PDF, MS Word, or other document types. The previous version of Taidoor infects the targeted system directly; however, with its exposure, the developer was able to update it to time delay sequence to stealthily enforce the attack onto the targeted network without being scanned by any security application. When the attached document is opened, the loader (ml.dll) will start the infiltration sequence. Then, it will extract the lethal file svchost.dll wherein it will take residency in the system memory by which sends the cue to the perpetrators that the infiltration has been completed. Now, it is ready to receive the command.

 

With the Taidoor functionality, it can perform network data information transfer, screen capturing service, and remote command execution.

 

To stay hidden under the radar, perpetrators were said to use many proxy servers to be untraceable, which they also used for ease of data transfer.

Different variants of Taidoor was being repurposed to be more appealing to the targeted victim and would have a high possibility that the attachment is to be opened. Notably, the successful intrusion was dated 2008, 2012,2013, and 2019 where the malware was delivered through a well-crafted email. The group has already forwarded the different variants of the Taidoor they have in their report to different Antivirus Developers for more scrutinization and a more in-depth investigation of the magnitude of its infection.

With the statistics that the Cybersecurity experts have, they believed that many malware/spyware – not limited to Taidoor, has been repurposed containing the subject of current events such as the pandemic Covid19. This to exploit human’s weakness for curiosity and keen to be always on the update to lure them on the bait, which will give the perpetrators free access to the victim’s resources.

Thus, users and administrators alike are advised to be always vigilant and cautious when opening attachment from an untrusted source. They must also enforce a strong password program and limit file sharing within the network, which also includes unauthorized apps to download updates and new installations. This will be the first defense of the network to mitigate the possibility of any possible intrusion.

About the author

Leave a Reply