A Chinese virus named Taidoor has been recently reported as a potential threat by the US government in its Malware Analysis Report (MAR) jointly released by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). The virus poses a threat mainly because of its ever-evolving nature.
Taidoor is a twelve-year-old Chinese virus, first spotted in around 2008. It was reportedly most active around 2012 and 2013. It has been previously used to target the think tanks, corporations, and governments working towards the Taiwanese government. Last year, it was claimed to be used to target Japanese organizations via Microsoft Word.
How does it work?
According to the report released by the Department of Homeland Security, Taidoor is installed on the target system using Dynamic Link Library (DLL). It consists of two files. The first file is a loader (ml.dll) which, when downloaded, decrypts the second file (svchost.dll) and executes in its memory, which is the Remote Access Trojan (RAT).
After it is installed, it is used to access the infected systems and exfiltrate data or deploy other malware. It does so with proxy servers to hide the true point of origin of malware’s operator. In simple words, it can collect file system data, take screenshots, or put up other malware in the system.
The virus is usually infiltrated using a spear-phishing method and is sent through an attachment with an email. On a vulnerable system, the virus gets installed while a fake document with legitimate content is displayed on the screen to eliminate the chances of the users getting suspicious.
Four samples of Taidoor RAT were uploaded on public malware repository to involve antivirus companies in finding out about other involvements of the virus. The CISA recommends maintaining antivirus software and keeping them updated, using strong passwords, and restricting accessing and installing unwanted user software.
Data privacy can be ensured by properly following the guidelines and taking necessary precautions to prevent the attack of such malicious software.
You can find the full list of best practice recommended by CISA here.