Download the full research paper: The Taidoor Campaign: An In-depth AnalysisTaidoor malware, detected by Trend Micro as BKDR_SIMBOT variants, have been historically documented for their use in targeted attacks. Using techniques developed to match the network traffic Taidoor malware generate when communicating with a command-and-control (C&C) server, we were able to identify victims that these appeared to have compromised. All of the compromise victims we discovered were from Taiwan, the majority of which were government organizations.
Based on Trend Micro™ Smart Protection Network™ data, the earliest Taidoor campaign-related activities were seen as far back as October 2010.
Victims and Targets:
This campaign primarily targeted government organizations located in Taiwan.
In this campaign, attackers sent an email to targets. The email came with specially created file attachments that exploited vulnerabilities such as CVE-2012-0158, CVE-2009-4324, CVE-2010-1297, CVE-2010-2883, CVE-2011-0611, CVE-2011-1269, and CVE-2009-3129. The purpose of the file attachment is to drop and install SIMBOT malware variants, which had functionalities normally seen in Remote Access Trojans (RATs).
Possible Indicators of Compromise
The GET and POST requests from compromised computers contained a URL path in the following format, aaaaa.php?id=bbbbbbcccccccccccc, where “aaaaa” refers to five random characters that form a file name, “bbbbbb,” refers to six pseudorandomly generated characters that change for each connection, and “cccccccccccc” refers to 12 characters that represent the compromised host’s MAC address that is obfuscated using a custom algorithm.
In addition, the initial command-and-control (C&C) server request typically uses the following format:
[ C&C ] / [ 5 random characters ] . php ? id = [ 6 random numbers ] [ encrypted victim's MAC address ]
The full technical details of this attack are included in the Trend Micro research paper, “The Taidoor Campaign: An In-Depth Analysis.” The characteristics highlighted in this APT campaign profile reflect the results of our investigation as of August 2012.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.