High-stealth variant poses fresh security challenge for network defenders, one expert warns

State-sponsored attackers up the ante with new Taidoor malware strain

Technical analysis of fresh Taidoor samples released by the US government has illustrated the ability of state-backed threat actors to continually reinvigorate the aging malware.

The FBI issued a security alert last month warning organizations that threat actors were using a new strain of Taidoor, a remote access trojan (RAT) that’s said to be linked to the Chinese government.

The new-and-improved trojan variant, according to the FBI, was being used “in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation”.

Taidoor first emerged back in 2008 in a wave of attacks against government agencies and manufacturing and financial services firms across East and South East Asia. The threat actors have recently broadened their campaigns to Western Europe and North America.

Security researchers from ReversingLabs dissected four samples published by US Cyber Command of the new variant, which contains a DLL loader that decrypts the RC4-encrypted RAT module before executing its exported start function.

The new samples – two apiece for the loader and RAT module – contained two command and control (C2) domains and a single C2 IP, according to a blog post authored by Karlo Zanki, reverse engineer at ReversingLabs.

‘Tailoring the malware’

Sustaining the RAT’s 12-year stretch out in the wild, the emergence of a new strain demonstrates how “government sponsored actors often have enough time and resources for tailoring the malware to fit a specific target,” Zanki told The Daily Swig.

The researchers found related, older samples containing an extra layer of encryption that hides “the code responsible for configuration decryption, including the AES key and S-Box initialization”.

However, in 2017, the malware developers moved “that extra protection layer, probably to another PE artifact (the loader component).

“That the same AES key has been used for more than four years is a lucky coincidence which simplifies the IOC extraction for researchers and makes correlating samples easier,” he added.

Modifications are usually implemented to “regain undetectability”, Zanki told The Daily Swig, but they could also be made, for instance, to bypass “restrictive firewall settings” with “different protocols for data exfiltration”.

Sample haul

The FBI analysis is useful, he suggested, because state-backed hacking tools are typically deployed “in smaller, targeted attacks” rather than “in massive campaigns”, leaving researchers with few samples for analysis.

But based on their analysis of the four Taidoor samples, researchers found 23 related samples, and 40 new C2 IPs and domains extracted from their configurations.

“When you find a relatively big number of related samples you can compare them based on time information like compilation time and the time they were first spotted in the wild,” he told The Daily Swig.

“Such comparison can reveal correlations between the samples and some interesting information about the malware development process can jump out.

Read more of the latest malware news

“Artifacts discovered in the collected samples reveal the reason that some of the malware modifications were made.”

While specific variants offer specific lessons for at-risk organizations, the general advice for combatting state-sponsored malware “is almost always the same”, says Zanki.

“Follow the best practices recommended by security specialists – regularly patch OS, update AV products” as per recommendations in CISA threat analysis reports.

“Special care should be given to proper firewall configuration – all unnecessary ports should be blocked. For an A+ grade, you can find yourself a source of good YARA rules and look for fresh IOC lists for ongoing threats.”

RECOMMENDED Credential stuffing attacks: How to protect your accounts from being compromised