Based on Trend Micro™ Smart Protection Network™ data, the earliest Taidoor campaign-related activities were seen as far back as October 2010.
Victims and Targets:
This campaign primarily targeted government organizations located in Taiwan.
In this campaign, attackers sent an email to targets. The email came with specially created file attachments that exploited vulnerabilities such as CVE-2012-0158, CVE-2009-4324, CVE-2010-1297, CVE-2010-2883, CVE-2011-0611, CVE-2011-1269, and CVE-2009-3129. The purpose of the file attachment is to drop and install SIMBOT malware variants, which had functionalities normally seen in Remote Access Trojans (RATs).
Possible Indicators of Compromise
The GET and POST requests from compromised computers contained a URL path in the following format, aaaaa.php?id=bbbbbbcccccccccccc, where “aaaaa” refers to five random characters that form a file name, “bbbbbb,” refers to six pseudorandomly generated characters that change for each connection, and “cccccccccccc” refers to 12 characters that represent the compromised host’s MAC address that is obfuscated using a custom algorithm.
In addition, the initial command-and-control (C&C) server request typically uses the following format:
[ C&C ] / [ 5 random characters ] . php ? id = [ 6 random numbers ] [ encrypted victim's MAC address ]
The full technical details of this attack are included in the Trend Micro research paper, “The Taidoor Campaign: An In-Depth Analysis.” The characteristics highlighted in this APT campaign profile reflect the results of our investigation as of August 2012.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.