Some pieces of malware have the ability to remain unnoticed or get just the bare minimum of attention from the cybersecurity community, despite being used in cyber attacks for more than a decade. This is exactly the case with the Taidoor RAT (aka Taurus RAT), a Remote Access Trojan that was first detected way back in 2008. The Taidoor RAT, however, is now the subject of an alert report created jointly by three US agencies - Cybersecurity and Infrastructure Security Agency, which is part of the Department of Homeland Security (DHS CISA), the Department of Defense's Cyber Command (CyberCom), and the Federal Bureau of Investigations (FBI) due to the fact that this specific malware is linked to Chinese-sponsored hacker groups.
The FBI Warns about a New Version of a Chinese RAT Malware
Despite its age, the Taidoor RAT has remained relevant over the years and has been spotted in different campaigns in 2008, 2012 and 2013. In the malware alert, the US agencies warn that a new version has been spotted as part of new cyber attacks by hackers. In fact, two versions of the Taidoor RAT have been detected - one designed for 32-bit architectures and one for 64-bit. When it comes to their specific behavior, however, the versions are identical.
The Taidoor RAT is being distributed as a service dynamic link library file, that in turn, contains two other files. One of them is a loader, while the other contains the actual remote access malware. The loader decrypts the RAT file and executes it in memory. Once operational, the Taidoor RAT can be used for any number of nefarious activities such as data exfiltration, downloading other malware on the infected machine or log the user activity. Apparently, proxy servers have been employed in the attacks involving the Taidoor RAT to hide the hackers' true point of origin.
Companies are advised to adopt sufficient cybersecurity policies, as well as deploy robust anti-malware software to diminish the chances of becoming victims of the Taidoor RAT and similar malware threats.