Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Attackers Using Taidoor Trojan to Target Think Tanks and US-Taiwan Interests

In 2008, the Taidoor Trojan made its first appearance on the Web. It started by attacking government agencies, but the group behind it expanded their reach by targeting a wide range of victims. Now, based on research from Symantec, it appears that the group running Taidoor is interested in think tanks, especially those that are focused on Taiwan.

In 2008, the Taidoor Trojan made its first appearance on the Web. It started by attacking government agencies, but the group behind it expanded their reach by targeting a wide range of victims. Now, based on research from Symantec, it appears that the group running Taidoor is interested in think tanks, especially those that are focused on Taiwan.

While Taidoor started out by targeting governments, between 2009 and 2010, the malware shifted gears. Government victims were counted among those in the media, financial, telecom and manufacturing sectors. The length of the attack, almost four years now, shows that the group responsible for Taidoor is persistent if nothing else.

Based on the collected data, Symantec says that since May 2011, there has been a substantial increase in Taidoor related activity. The malware’s current targets are primarily private industry and influential international think tanks with a direct involvement in US and Taiwanese affairs. Facilities in the services sector that these organizations may use have also been targeted.

“The attackers generally used document based vulnerabilities sent through email as attachments to compromise their intended targets. The most common document type exploited by Taidoor attacks is PDF followed closely by Word documents,” Symantec explained in a blog post.

“In all, at least 9 different vulnerabilities have been observed in use by these attackers in the past. We should bear in mind that the vulnerabilities used are generally ones that are already publically disclosed and patched by vendors at time of use. The attackers are simply exploiting the fact that some organizations may be slow to apply patches.”

Like other Trojan attacks, once the system is compromised, the malware waits for instructions once it calls home. However, Taidoor is a bit interesting in this regard, as the attacker(s) will routinely access the compromised host and run various commands, to check for recently accessed documents, a list of installed software, desktop and network configurations, and more. Moreover, the attacks have a normal workday, as they only check the infected hosts during set times.

Stephen Doherty, Symantec’s Security Response Manager, and Piotr Krysiuk, a Senior Software Engineer in Ireland, published a paper on Taidoor. The 20-page report is available here.

Written By

Click to comment

Expert Insights

Related Content

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cyberwarfare

Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cyberwarfare

The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.