US agencies publicly link Taidoor malware to Chinese government

The warning comes in the midst of rising tensions between the USA and China

The US government has warned American organisations about the Taidoor malware, which threat actors linked to the Chinese government have used in recent cyber attacks.

The US Cybersecurity and Infrastructure Security Agency (CISA), the Department of Defense (DoD) and the Federal Bureau of Investigation (FBI) recently identified the malware strain in a joint investigation.

According to the agencies, Taidoor is not actually a new malware strain; the Chinese government has been using it since 2008 to target government agencies, private entities and think tanks in espionage operations.

The US Cyber Command has uploaded samples of the malware to the malware sharing platform, VirusTotal.

"The FBI has high confidence that Chinese government actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation," the CISA said in the malware analysis report (MAR).

Taidoor has two versions, for 32- and 64-bit systems, according to CISA. It is usually deployed on target systems as a service dynamic link library (DLL) containing two files. The first file works as a loader to decrypt and execute the second file, which is the main Remote Access Trojan (RAT). The RAT is executed in the memory, allowing attackers to exfiltrate data from infected systems and deploy additional malware.

To mitigate risks associated with Taidoor and to strengthen the security of their systems and networks, the CISA recommends organisations to take following steps:

• Maintain up-to-date antivirus signatures and engines
• Regularly update operating systems
• Disable file/printer sharing services; if required, use strong passwords or Active Directory authentication
• Change passwords regularly
• Restrict users' permissions to install and run unwanted software
• Exercise caution while opening attached email files

The US government's decision to publicly link the Taidoor malware to the Chinese government comes amid rising tensions between the two countries.

In May, the FBI and CISA had issued an alert to warn organisations of Chinese hackers trying to steal valuable research data relating to the treatment of Covid-19.

The officials said that Chinese cyber actors were targeting personnel and networks associated with coronavirus-related research to collect intellectual property and public health data on vaccines, treatments and testing of Covid-19.

The agencies also said they were seeing an increased use of coronavirus themes in spear-phishing emails, as well as efforts to distribute malicious software via illegitimate apps claiming to offer information about coronavirus.

Last month, the US government indicted two Chinese hackers, accusing them of stealing intellectual property from multiple firms based in the US and other countries.

The indictment claimed that the two Chinese individuals were assisted by China's Ministry of State Security in their attempts to target defence contractors, health care firms, medical research institutions, universities, maritime engineering firms, human rights activists and a range of other targets in western countries.