Multiple Agency Announcement on Taidoor Remote Access Trojan Malware Analysis Report (AR20-216A)

Description

Today, The United States CyberSecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) released a joint report (Malware Analysis Report (AR20-216A)) on threat actors using remote access trojans and proxies to maintain a presence on the targeted victim's network. The report is related to an informational advisory published by CISA in May, "FBI-CISA PSA PRC TARGETING OF COVID-19 RESEARCH ORGANIZATIONS." This latest Malware Analysis Report (MAR) from CISA is for campaigns attributed to a threat actor and malware known as "Taidoor." Taidoor activity is attributed to Chinese government actors.

This report highlights a recently discovered campaign that is targeting multiple organizations in the United States involved in COVID-19 vaccines and treatments research. This latest announcement is not to be confused with the July 16th advisory from CISA (US)/NCSC (UK) on July 16th, also targeting organizations researching COVID-19. APT 29 aka "Cozy Bear/Duke" is attributed to Russia.

Contained within these sample sets are (4) unique samples discovered by CISA/FBI/DoD of the Taidoor remote access trojan (RAT). These samples range from the loader mechanism to the remote access trojan of Taidoor.

Why is Taidoor Significant?

First discovered in 2008, this group/family is named Taidoor due to it being first discovered attacking governmental organizations and interests in Taiwan. Taidoors' original modus operandi is to seek out targets and victims through social enginering attacks. First attacks observed were using Microsoft Word and Adobe Flash vulnerabilities, later evolving into malware being delivered via email as an attachment that would later download the Taidoor RAT. The latest advisory does not provide any information on the initial threat vector for the latest round of observed attacks. Although attacks in recent years have waned around Taidoor and that this malware family has been in existence for over a decade, the samples mentioned in today's MAR are new.

What is the Severity of Impact?

The severity should be regarded as low, due to the fact that these campaigns have been observed in limited, targeted attacks.

What is the status of AV and IPS coverage?

Customers running the latest AV definitions are protected with the following signature sets:

DATA/Taidoor.7EDD!tr

Data/Taidoor.664C!tr

W32/Taidoor.ED7B!tr

W64/Taidoor.7C1E!tr

IPS coverage is not feasible for this event.

All network IOC's are blocked by the WebFiltering client.

Appendix

MAR-10292089-1.v1–Chinese Remote Access Trojan: TAIDOOR

People’s Republic of China (PRC) Targeting of COVID-19 Research Organizations