Wielding a new remote access trojan (RAT) dubbed Taidoor, Chinese government-supported hackers are behind a series of cyberespionage campaigns.
Although it offered no details on the possible targets, CISA warned of the malware variants, noting that “the FBI has high confidence that Chinese government actors are using [them] in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation.”
As U.S. Cyber Command pointed out in a tweet, China’s Taidor malware has been compromising systems since 2008. Cyber Command uploaded four samples - identified as a x86 and x64 version of Taidoor - into the VirusTotal database for analysis.
“While it’s good to see government agencies warn and to provide guidance and identification about for RATs such as TAIDOOR, the pathways and services that RATs exploit remain open and hard to monitor for many organizations,” said Matt Walmsley, EMEA director at Vectra. “Signatures exist for the most common RATs, but skilled attackers can easily customize or build their own RATs using common remote desktop tools such as RDP to exert remote access.”
Given the high volume of legitimate remote access that occurs across networks and hosts, “there’s plenty of opportunity for RATs to operate undiscovered for extended periods as they hide in plain sight,” said Walmsley, explaining they are a particularly useful tool for nation state level threat actors who want to perform extended reconnaissance and maintain a point of persistent inside target organizations,” which seems to be the case with the new Taidoor RAT.