The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) have identified a malware variant—referred as TAIDOOR—used by the Chinese government. In addition, U.S. Cyber Command has released the malware sample to the malware aggregation tool and repository, VirusTotal.
"Remote Access Trojans (RATs) are an insidious set of attacker tools that invade our systems, data and privacy," says Matt Walmsley, EMEA Director at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyber attackers. "With so much legitimate remote access happening across our networks and hosts, there’s plenty of opportunity for RATs to operate undiscovered for extended periods as they hide in plain sight. They are a particularly useful tool for nation state level threat actors who want to perform extended reconnaissance and maintain a point of persistent inside target organizations. That certainly seems to be the case here with activity being linked back to China from 2008."
While it’s good to see government agencies warn and to provide guidance and identification about for RATs such as TAIDOOR, the pathways and services that RATs exploit remain open and hard to monitor for many organizations, explains Walmsley. "Signatures exist for the most common RATs, but skilled attackers can easily customize or build their own RATs using common remote desktop tools such as RDP to exert remote access. This is held up by some recent analysis we made on live enterprise networks that found that 90 percent of surveyed organizations exhibit a form of malicious RDP behaviors. This type of behavioral detection approach (instead of trying to perfectly fingerprint each RATs’ signature) can be achieved with machine learning models designed to identify the unique behaviors of RATs. By analyzing large numbers of RATs, a supervised machine learning model can learn how traffic from these tools differs from normal legitimate remote access traffic and so spot “RATish” behavior without prior knowledge of the attack, or individual RAT’s code."
CISA encourages users and administrators to review Malware Analysis Report MAR-10292089-1.v1, U.S. Cyber Command’s VirusTotal pag, and CISA’s Chinese Malicious Cyber Activity page for more information.