Taidoor Campaign Targets Government Agencies in Taiwan

The Taidoor Campaign: An In-depth Analysis Download the full research paper: The Taidoor Campaign: An In-depth Analysis

Taidoor malware, detected by Trend Micro as BKDR_SIMBOT variants, have been historically documented for their use in targeted attacks. Using techniques developed to match the network traffic Taidoor malware generate when communicating with a command-and-control (C&C) server, we were able to identify victims that these appeared to have compromised. All of the compromise victims we discovered were from Taiwan, the majority of which were government organizations.

Looking at threat intelligence derived from tracking advanced persistent threat (APT) campaigns over time, we were able to develop indicators of compromise primarily based on the network traffic generated by the malware used in the Taidoor campaign. Using data collected from the Trend Micro™ Smart Protection Network™, we are able to identify victims whose networks communicated with Taidoor C&C servers.

While we are unable to determine the exact method by which any of the victims’ networks were compromised, the information we collected did indicate which specific Taidoor malware samples contacted which C&C servers. We also obtained email samples associated with the delivery of the Taidoor malware samples. As such, we were able to provide an overview of the Taidoor campaign, including the attack vectors and malware the attackers used, and come up with a remediation strategy.

Taidoor Quick Profile:

First Seen:
Based on Trend Micro™ Smart Protection Network™ data, the earliest Taidoor campaign-related activities were seen as far back as October 2010.

Victims and Targets:
This campaign primarily targeted government organizations located in Taiwan.

In this campaign, attackers sent an email to targets. The email came with specially created file attachments that exploited vulnerabilities such as CVE-2012-0158, CVE-2009-4324, CVE-2010-1297, CVE-2010-2883, CVE-2011-0611, CVE-2011-1269, and CVE-2009-3129. The purpose of the file attachment is to drop and install SIMBOT malware variants, which had functionalities normally seen in Remote Access Trojans (RATs).

Possible Indicators of Compromise
The GET and POST requests from compromised computers contained a URL path in the following format, aaaaa.php?id=bbbbbbcccccccccccc, where “aaaaa” refers to five random characters that form a file name, “bbbbbb,” refers to six pseudorandomly generated characters that change for each connection, and “cccccccccccc” refers to 12 characters that represent the compromised host’s MAC address that is obfuscated using a custom algorithm.

In addition, the initial command-and-control (C&C) server request typically uses the following format:
[ C&C ] / [ 5 random characters ] . php ? id = [ 6 random numbers ] [ encrypted victim's MAC address ]

The full technical details of this attack are included in the Trend Micro research paper, “The Taidoor Campaign: An In-Depth Analysis.” The characteristics highlighted in this APT campaign profile reflect the results of our investigation as of August 2012.



Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.