Expert Reaction On US govt exposing Chinese espionage malware

The Federal Bureau of Investigation (FBI) released information on malware variants referred to as TAIDOOR used by the  Chinese government-sponsored hackers targeting government agencies and other cooperations. Cybersecurity experts commented below.

Subscribe
Notify of
guest
3 Expert Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Karlo Zanki
Karlo Zanki , Reverse Engineer
InfoSec Expert
September 23, 2020 3:29 pm

Taidoor is truly a persistent threat. Government-supported actors often develop malicious tools with the intention of using them to support long-lasting activity, and modify them regularly to remain undetectable. When organizations put a lot of effort into creating a complex tool such as Taidoor, which dates back to 2008, they tend to use it for very targeted attacks rather than massive campaigns. Unfortunately, this means that researchers often don\’t have many samples for analysis at their disposal.

The new version of Taidoor described by CISA consists of two parts – a loader in a DLL form, and a main RAT module that comes as RC4-encrypted binary data. The loader first decrypts the encrypted main RAT module, and then executes its exported Start function. The report provides two samples for both the loader and the main encrypted RAT module. These samples come with only two C2 domains and one C2 IP, however ReversingLabs recently identified 23 related samples and 40 new C2 IPs and domains extracted from their configurations.

Individuals and companies looking for an extended IOC list to bolster their defenses can find the data extracted from the newly discovered samples here:
https://blog.reversinglabs.com/hubfs/Blog/Taidoor_SHA1_list.txt
https://blog.reversinglabs.com/hubfs/Blog/Taidoor_C2_list.txt

Last edited 2 years ago by Karlo Zanki
Joseph Carson
Joseph Carson , Chief Security Scientist & Advisory CISO
InfoSec Expert
August 6, 2020 8:08 am

When malware is out in the wild like Taidoor, it is difficult to trace it back to the attacker using it for malicious activities, such as remote access. Absolutely, it is highly likely that the origin of the malware is from China however since it has been around for almost 12 years it is very likely that several governments, organized cybercrime, and mercenary criminal hackers have got hold of the malware and are also using it. One method that a government might use it for is a misdirection to create a scenario where it looks like China is behind a cyberattack when it is actually another attacker using a known malware such a Taidoor to hide their tracks and point to China as the origin.

Last edited 2 years ago by Joseph Carson
Sam Curry
Sam Curry , Chief Security Officer
InfoSec Expert
August 6, 2020 8:05 am

The newest revelations regarding China\’s repeated attempts to steal IP from U.S. based public and private organisations will result in a strong denial of involvement, as their talking points always include something about how shocked they are and that as a nation aren\’t involved in espionage or nation-state hacking. In reality, it\’s a game of \’Xi said,\’ \’she said\’ with China looking to distance itself from damning evidence, while at the same they ramping up their efforts to embarrass the U.S. by hacking into networks and stealing gov\’t secrets, manufacturing designs, research statistics, and patent-pending vaccines and anything else not kept away from their snooping eyes.

In addition, cyber-attacks in a time of pandemic on government entities, healthcare companies, and research infrastructure are diabolical. In any other theater besides cyber, they would be a clear act of war and subject to diplomatic, economic, and potentially military reprisals. Some nation-states are treating the COVID crisis as a continuation of the age-old game of tit-for-tat, and it’s shameful.

Last edited 2 years ago by Sam Curry
3
0
Would love your thoughts, please comment.x
()
x