Alert: Chinese Malware Targeting IT Service ProvidersCISA, DOD, FBI Issue Warning About Campaign Using Taidoor RAT
A trio of U.S. government agencies is warning organizations, especially IT service providers, about a hacking campaign using a malware strain that has previously been tied to Chinese hackers, according to a public alert published this week.
While the Taidoor remote access Trojan, or RAT, has been around for over a decade, the U.S. Cybersecurity Infrastructure Security Agency, the FBI and the Department of Defense Cyber Command warned Monday that the malware has recently been spotted in several campaigns.
China’s #Taidoor malware has been compromising systems since 2008.— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) August 3, 2020
For more info on Taidoor, see @CISAgov and @FBI’s MAR https://t.co/zWYhSwkXjA
and @US_CYBERCOM’s Virus Total. https://t.co/fSgk1x84JT
The joint alert did not identify organizations that have been targeted by Taidoor malware. But the three agencies note that several U.S. IT service providers and their customers have been victimized over the last several months. Service providers in healthcare, pharmaceutical and research sectors, especially those working on the COVID-19 response, are at greater risk of being hacked using the Taidoor RAT, the agencies warn.
"Chinese government cyber threat actors are actively exploiting trust relationships between information technology service providers - such as managed service providers and cloud service providers - and their customers," according to the joint alert.
While Taidoor has been active since at least 2008, according to security firm FireEye, the joint alert notes that the malware has undergone several changes and now has some additional capabilities.
In these more recent cases, the government analysts found hackers deployed new strains that are then installed within victims’ devices through the Windows dynamic link library, or DLL, function, according to the alert.
The malware contains two files. The first is a loader, which is started as a service within the infected device. The second is a loader that contains the actual RAT, according to the alert.
The alert notes that the operators behind Taidoor use proxy servers in conjunction with the malware to better hide the origin of the attack. The agencies believe that these attacks stem from hackers in China with connections to the government.
"The FBI has high confidence that Chinese government actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation," the alert states.
In a 2013 report, FireEye researchers found that the malware was spread to victims using spear-phishing techniques. Those targeted by the malware at that time included government agencies, corporate entities and think tanks, especially those with interests in Taiwan, the report notes.
COVID-19 Cyberespionage Threats
Since the beginning of the COVID-19 pandemic, hackers have been increasingly targeting organizations in the U.S. that are engaged in COVID-19 vaccine research.
In April, the FBI warned that hackers are targeting U.S. medical research facilities and healthcare organizations that are working toward developing coronavirus vaccines (see: FBI: Hackers Targeting US COVID-19 Research Facilities).
The U.S. Department of Justice in July charged two Chinese citizens in connection with breaking into the computer systems of hundreds of U.S. organizations to steal intellectual property. The alleged hackers are charged with activities that included searching for vulnerabilities to gain access to information on COVID-19 vaccine research (see: DOJ: Chinese Hackers Targeted COVID-19 Vaccine Research).
Due to rising cyberespionage threats to virus vaccine research, Senate Republicans proposed last month to allocate about $53 million to CISA for combating hackers that target the research (see: GOP Proposal: $53 Million for COVID-19 Research Security).