In 2008, the Taidoor Trojan made its first appearance on the Web. It started by attacking government agencies, but the group behind it expanded their reach by targeting a wide range of victims. Now, based on research from Symantec, it appears that the group running Taidoor is interested in think tanks, especially those that are focused on Taiwan.
While Taidoor started out by targeting governments, between 2009 and 2010, the malware shifted gears. Government victims were counted among those in the media, financial, telecom and manufacturing sectors. The length of the attack, almost four years now, shows that the group responsible for Taidoor is persistent if nothing else.
Based on the collected data, Symantec says that since May 2011, there has been a substantial increase in Taidoor related activity. The malware’s current targets are primarily private industry and influential international think tanks with a direct involvement in US and Taiwanese affairs. Facilities in the services sector that these organizations may use have also been targeted.
“The attackers generally used document based vulnerabilities sent through email as attachments to compromise their intended targets. The most common document type exploited by Taidoor attacks is PDF followed closely by Word documents,” Symantec explained in a blog post.
“In all, at least 9 different vulnerabilities have been observed in use by these attackers in the past. We should bear in mind that the vulnerabilities used are generally ones that are already publically disclosed and patched by vendors at time of use. The attackers are simply exploiting the fact that some organizations may be slow to apply patches.”
Like other Trojan attacks, once the system is compromised, the malware waits for instructions once it calls home. However, Taidoor is a bit interesting in this regard, as the attacker(s) will routinely access the compromised host and run various commands, to check for recently accessed documents, a list of installed software, desktop and network configurations, and more. Moreover, the attacks have a normal workday, as they only check the infected hosts during set times.
Stephen Doherty, Symantec’s Security Response Manager, and Piotr Krysiuk, a Senior Software Engineer in Ireland, published a paper on Taidoor. The 20-page report is available here.