US govt exposes Chinese espionage malware secretly used since 2008

The U.S. government today released information on a malware variant used by Chinese government-sponsored hackers in cyber espionage campaigns targeting governments, corporations, and think tanks.

The new malware is a remote access trojan (RAT) dubbed TAIDOOR actively used by Chinese government cyber actors according to information published today by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense (DoD).

"China’s Taidoor malware has been compromising systems since 2008," U.S. Cyber Command also tweeted today. 

U.S. Cyber Command has also uploaded four samples of the newly discovered RAT malware variants onto the VirusTotal malware aggregation repository.

China has been using #Taidoor malware to conduct #cyber espionage on governments, corporations, and think tanks. See the latest malware analysis report on their TTPs at @CNMF_CyberAlert. @NSCS @cse_cst @CISAgov @FBI https://t.co/c8dOtV5zK9

Information collected while analyzing Chinese TAIDOOR RAT samples was also shared today by the US govt agencies as part of the AR20-216A malware analysis report (MAR) with info on how the malware is used "in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation."

MARs are designed to provide organizations with accurate and detailed malware analysis information acquired via manual reverse engineering of samples found in the wild.

They are also published to help network defenders detect and minimize exposure to Chinese malicious cyber activity with the help of indicators of compromise (IOCs) and YARA rules for each of the detected samples.

May 2020 attacks on COVID-19 research orgs

The FBI and CISA also warned in May of ongoing attacks coordinated by threat actors affiliated to the People’s Republic of China (PRC) and attempting to collect COVID-19 information after compromising organizations in the US health care, pharmaceutical, and research industry sectors.

"China’s efforts to target these sectors pose a significant threat to our nation’s response to COVID-19," the FBI said at the time.

"This announcement is intended to raise awareness for research institutions and the American public and provide resources and guidance for those who may be targeted.

"These actors have been observed attempting to identify and illicitly obtain valuable intellectual property (IP) and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research.

The warning came one week after a joint alert issued by CISA and UK's NCSC warning of organizations involved in international COVID-19 responses, healthcare, and essential services being actively targeted by government-backed hacking groups.

Defense recommendations

"Chinese government cyber threat actors are actively exploiting trust relationships between information technology (IT) service providers—such as managed service providers and cloud service providers—and their customers," CISA says.

"The intent of sharing this information is to enable network defenders to identify and reduce exposure to Chinese malicious cyber activity."

The cybersecurity agency provides recommendations for system administrators and owners to help strengthen the security posture of their organization's systems:

• Maintain up-to-date antivirus signatures and engines.
• Keep operating system patches up-to-date.
• Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
• Enforce a strong password policy and implement regular password changes.
• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
• Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
• Disable unnecessary services on agency workstations and servers.
• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
• Monitor users' web browsing habits; restrict access to sites with unfavorable content.
• Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
• Scan all software downloaded from the Internet prior to executing.
• Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on how to prevent malware infections is available in the Guide to Malware Incident Prevention and Handling for Desktops and Laptops published by the National Institute of Standards and Technology (NIST).

More details regarding Chinese malicious cyber activity in the form of previous alerts and MARs released via the National Cyber Awareness System can be found here.