Trojan.Taidoor: A Modern Chinese APT

23 09 2012

“We must use all types, forms, and methods of force, and especially make more use of nonlinear warfare and many types of information warfare methods … to use our strengths in order to attack the enemy’s weaknesses, avoid being reactive, and strive for being active.” [1]

In 1995, China’s Major General Wang Pufeng stated the nation’s position on information warfare and it was clear that China was willing to utilize technology as an attack vector. This statement was made 14 years before USCYBERCOM was established to “ensure US and allied freedom of action in cyberspace, while denying the same to [their] adversaries” [2]. USCYBERCOM’s mission statement is essentially a more subtle version of Major General Wang’s declaration stated much further into the future, only delivered much later.

China has viewed cyberwarfare and advanced persistent threats (APT) as a direct means of militaristic defense and offense since the late 1990s and grew to utilize cyber attacks to steal information and “leapfrog” [1] Western innovations and advancements. Today, China is not only behind or suspected of being behind cyber espionage operations, many organized Chinese groups have been responsible for politically-motivated attacks against Taiwan, Tibet, and the United States to name a few.

In 2011, a series of attacks named Trojan.Taidoor restructured their 3 year-old strategy. Trojan.Taidoor, more commonly known as Taidoor, began focusing on attacking think tanks involved with US and Taiwanese affairs and the private sector rather than a set of unrelated organizations. (Fun fact: Taidoor=台门 = door into Taiwan) 2011 also saw an influx in frequency of attacks including a peak in September 2012 when the US-Taiwan Defense Industry Conference was held [6].

Taidoor’s technical specifications include the expected email attacks as the breach component where some are specially crafted for specific targets and others are more generalized phishing attempts [5]. Once Taidoor’s targets open attachments in the attack emails, which are generally in xls, scr, pdf, or doc formats, a dropper is created in the target’s file system. The dropper then replaces it with the malicious back door and continues onto the final payload [4]. From there, Taidoor’s back doors communicate with the command & control servers generally located near the attacker to reduce suspicion.

However, despite Taidoor’s seemingly more focused attacks since 2011, their motivations remain unclear and it does not appear that any security firms have identified exactly what the attackers behind Taidoor do with compromised information. When Symantec traced the activity of Taidoor’s command & control servers, they found that the attackers engaged in live interactive sessions to traverse the compromised machine. The attackers seem to make attempts to find valuable documents without any clear methodology or strategy [5], a common trend in many APTs. While some APTs utilize zero-day vulnerabilities, several major Chinese APTs including Taidoor only exploit known Adobe or Microsoft vulnerabilities. As such, attackers can be fairly certain that their victims are not the most technologically advanced given their negligence to patch extremely vulnerable software.

Taidoor’s frequency, targets, and technical details are similar to many other instances of cyberwarfare and espionage linked to China such as Luckycat. Today, China has been identified as the source of many attacks similar to Taidoor where the primary goals are to steal information or to gain competitive edge against other nations. China has an extensive past of recognizing the power of cyberwarfare and today we see the products of that history.

“Red Hackers” or “Chinese Honkers” [3], as media outlets have named them, are some of the most active members of the global cyberespionage and hacker communities and there seems to be no end in sight to their or any other nation’s cyberwarfare activities. In conjunction with ever-advancing technology, cyberwarfare is undoubtedly an area demanding increased attention.

_____________

[1] Bilio, Charles, and Welton Chang. “CYBER WARFARE AN ANALYSIS OF THE MEANS AND MOTIVATIONS OF SELECTED NATION STATES.” http://www.ists.dartmouth.edu. INSTITUTE FOR SECURITY TECHNOLOGY STUDIES AT DARTMOUTH COLLEGE, Dec. 2004. Web. Sept. 2012. <http://www.ists.dartmouth.edu/docs/cyberwarfare.pdf&gt;.

[2] “U.S. Department of Defense, Cyber Command Fact Sheet”. 21 May 2010. 9 Sept. 2012. <http://www.stratcom.mil/factsheets/Cyber_Command&gt;.

[3] Hille, Katherine, and Joseph Menn. “Hackers in frontline of China’s cyberwar.” Financial Times. N.p., 13 Jan. 2010. Web. 9 Sept. 2012. <www.ft.com/cms/s/2/5fbfe99a-0026-11df-8626-00144feabdc0.html#axzz26bpKpser>.

[4] “The Taidoor Campaign: An In-Depth Analysis.” Trend Micro. Trend Micro Incorporated, 23 Aug. 2012. Web. 10 Sept. 2013. <www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf>.

[5] “Trojan.Taidoor takes aim at policy think tanks .” Symantec Security Response. N.p., 27 Mar. 2012. Web. 9 Sept. 2012. <www.symantec.com/security_response/writeup.jsp?docid=2012-060716-0537-99>.

[6] Doherty, Stephen, and Piotr Krysiuk. “Trojan.Taidoor: Targeting Think Tanks.”Symantec. Symantec Security Resopnse, n.d. Web. 9 Sept. 2012. <www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/trojan_taidoor-targeting_think_tanks.pdf>.

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: