CISA Warns of Increase in Cyberattacks by Chinese Nation State Threat Groups using the Taidoor RAT

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued a high priority alert warning enterprises of the risk of cyberattacks involving Taidoor malware, a remote access Trojan (RAT) used by the Chinese government in cyber espionage campaigns.

Taidoor was first identified in 2008 and has been used in many attacks on enterprises. The alert was issued after CISA, the FBI and the Department of Defense (DoD) identified a new variant of the Taidoor RAT which is being used in attacks on US enterprises. Strong evidence has been found suggesting the Taidoor RAT is being used by threat actors working for the Chinese government.

CISA explains in the alert that the threat actors are using the malware in conjunction with proxy servers to hide their location and gain persistent access to victims’ networks and for further network exploitation.

Two versions of the malware have been identified which are being used to target 32-bit and 64-bit systems. Taidoor is downloaded onto victims’ systems as a service dynamic link library (DLL) and consists of two files: A loader that is started as a service, which decrypts and executes a second file in the memory. The second file is the main Taidoor Remote Access Trojan (RAT). The Taidoor RAT provides gives the attackers persistent access to enterprise networks and allows data exfiltration and other malware to be downloaded.

CISA has published a Malware Analysis Report that includes confirmed indicators of compromise (IoCs), suggested mitigations, and recommended actions that can improve protection against Taidoor malware attacks. In the event of an attack, victims should give the activity the highest priority for enhanced mitigation and the attack should be reported to either CISA or FBI Cyber Watch.

CISA recommended actions for administrators include maintaining up to date antivirus signatures, keeping operating systems and software patched, disabling file and printer sharing (or using strong passwords if file and printer sharing is needed), restricting the use of admin privileges, exercising caution when opening email attachments, implementing a strong password policy, enabling firewalls on all workstations to deny unsolicited connection requests, disabling unnecessary services on workstations, monitoring users’ web browsing habits, and scanning all software downloaded from the Internet prior to execution.

The IOCs, mitigations, and recommendations can be found here.

The malware warning follows a joint alert issued by CISA and the FBI in May about attempts by Chinese hackers to gain access to the networks of organizations involved in COVID-19 research and vaccine development to steal intellectual property and public health data. The agencies have observed an increase in attacks spreading malware under the guise of updates on COVID-19 and spear phishing attacks using COVID-19 themes lures. In July, the Department of Justice announced that two Chinese hackers had been indicted for hacking US healthcare firms, government agencies, medical research institutions and other targets.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.