DHS CISA Alert Warns of Chinese-Backed Malware Cyberattacks

August 03, 2020 - The Department of Homeland Security Cybersecurity and Infrastructure Security Agency identified a malware variant tied to the Chinese government, which is targeting US organizations to both maintain a presence on the network of its victims and for further exploits and cyberattacks. 

The alert comes on the heels of an indictment of two hackers by the Department of Justice, which accused the individuals of working with China to steal valuable data from US organizations, including COVID-19 research data. Moderna recently confirmed to Reuters that the research firm was also targeted with cyberattacks, allegedly stemming from China. 

The latest malware variant is called Taidoor, which was identified by DHS CISA, the FBI, and the Department of Defense. Taidoor was first spotted in the wild in 2008 targeting government agencies, corporate entities, and think tanks. Those initial attacks began with spear-phishing emails, with Taidoor delivered as an email attachment. 

The FBI believes that threat actors from the Chinese government are using various malware variants tied to proxy servers in the latest attacks, according to the alert. The agencies distributed the alert to help US organizations enable network defenses to reduce exposure to these nation-state attacks. 

The advisory contains indicators of compromise, exploit techniques, mitigation techniques, and recommendations. 

READ MORE: DOJ Accuses China of Targeted Hacking on COVID-19 Research Data

Malicious binaries of Taidoor were identified as x86 and x64 versions and analyzed by the agencies. In these attacks, the malware is first installed onto a targeted system as a service dynamic link library (DLL) and compromised of two files. 

The first file is a loader, which begins as a service on the victim’s network and decrypts the second Taidoor file, executing it in memory as the main Remote Access Trojan (RAT). The second file looks for the file name “svchost.dll” in its running directory. 

When located, the DLL will read “svchost.dll” into memory and use an RC4 encryption algorithm to decrypt the contents of the file. 

“After the loader has finished decrypting ‘svchost.dll’, the loader now has a decrypted version of Taidoor, which is a DLL.,” according to the alert. “The loader then uses the API calls GetProcessHeap, GetProcAddress, and LoadLibrary to load the following DLLs, KERNEL32.dll, ADVAPI32.dll, and WS2_32.dll, which Taidoor will utilize. Next, the loader looks for the export ‘Start’ in the Taidoor DLL and executes that function."

“Taidoor does not have a function built it that enables it to persist past a system reboot,” it added. “It appears from the memory dump of the infected system, it was installed as a service DLL by some other means. The malware author never removed the symbol file for the ‘ml.dll’ build. This artifact provides additional information that the malware author intended this binary to do, ‘DllHijackPlushInject.’” 

READ MORE: DHS CISA, FBI Warn Chinese Hackers Targeting COVID-19 Research Firms

Administrators are urged to flag suspicious activity and reported it to CISA or the FBI, while prioritizing mitigation of suspected Taidoor attacks. 

CISA provided recommended defense tactics, following best practices to ensure a strengthened security posture across the enterprise. As always, any configuration changes must first be reviewed by system owners or administrators before implementation to avoid potential system challenges. 

Antivirus signatures and engines and operating system patches must be maintained and consistently updated. File and printer sharing services should be disabled, if possible. If the services are required, strong passwords or an Active Directory authentication should be employed. 

User permissions should be restricted when it comes to installing and running unwanted software applications, while administrators shouled ensure users are not added to the local administrators’ group unless required. 

Enterprises must also enforce a strong password policy and implement routine password changes. Employees should be trained to exercise caution when email attachments are open, even when the attachment is expected, and it appears the sender is known. The workforce should also be trained to be cautious when using removeable media. 

All enterprise workstations should have a personal firewall enabled and be configured to deny any unsolicited connection requests. Any unnecessary services on those workstations and enterprise service should also be disabled. 

Administrators should have tools in place able to scan for and remove suspicious email attachments, ensuring attachments are in a true file type, "i.e., the extension matches the file header.” Those leaders will also need to monitor the web browsing habits of users and restrict access to sites with unfavorable content. 

Lastly, all software downloaded from the internet must be scanned prior to executing, while administrators should maintain situational awareness on the threat landscape, implementing appropriate Access Control Lists.