Recently, the U.S. government exposed Chinese surveillance malware “TAIDOOR” that are secretly used by the Chinese government for a decade.
There has been a joint notice on TAIDOOR that has been revealed by the cybersecurity department of Homeland security (DHS) and Infrastructure Security Agency (CISA), the Federal Bureau of Investigations (FBI) and the Department of Defense’s Cyber Command (CyberCom).
All have claimed that a recent security breach has been detected, and in this event, the hacker who has been identified belongs to China; and TAIDOOR is a code that is generally used by VirusTotal.
Apart from this, there is a very high possibility that Chinese government actors are practicing malware alternatives in association with different proxy servers to keep an appearance on victim networks and to advance network exploitation further.
The U.S. CYBERCOM command tweeted that China’s TAIDOOR malware has been negotiating systems since 2008. This malware is generally used against government agencies, corporations, and think tanks, mostly ones with interest in Taiwan.
“FBI has high confidence that Chinese government actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. CISA, FBI, and DoD are distributing this MAR to enable network defense and reduce exposure to Chinese government malicious cyber activity.”
TAIDOOR – A Malware Used By The Chinese Govt.
TAIDOOR is in use since 2008, but its previous variant has been detected in the year of 2012 and 2013. Recently, the three U.S. government agencies have declared that they’ve spotted TAIDOOR is being used in new attacks.
TAIDOOR is generally used to install different malware together with the proxy servers so that they can hide the actual source of the malware’s operator.
This new malware named TAIDOOR has variants for 32- and 64-bit systems and is fitted on a victim’s systems as assistance with the name of the dynamic link library (DLL).
This DLL includes two other files; the initial file is a loader, which is inaugurated as a service. The work of the loader is to decrypt the second file and put it in memory, which is the center that is Remote Access Trojan (RAT).
Once they install the RAT, this service enables the threat actors to gain access to the infected systems and exfiltrate data or install other malware.
The three U.S. government agencies have declared a joint malware analysis report (MAR), it suggested some moderation methods, and here are the recommendations offered by CISA:-
- Always keep the patches of the OS up-to-date.
- Reduce the File and Printer sharing services.
- Keep up-to-date the antivirus Software.
- Implement a secure password system and perform periodic password changes.
- Restrain users’ ability to install and run undesired software applications.
- Allow an individual firewall on agency workstations, and configure it to reject all undesirable connection requests.
- Scan all software downloaded from the internet preceding to execute.
- Manage situational perception of the most advanced threats and perform proper Access Control Lists (ACLs).
The U.S. Cyber Command has also revealed four samples of the recently identified RAT malware alternatives onto the VirusTotal malware aggregation repository. But, CISA affirmed users to perform the recommended steps carefully so that they can keep their system network safe and secure.