Taidoor

Taidoor is a trojan that has been successfully compromising users since 2008 and is still targeting users today. Earlier versions of the malware used spearphishing emails with malicious attachments to infect users. The attachment would open as a seemingly legitimate document to attempt to avoid suspicion from the user. By 2011 and 2012, the malicious attachments began pushing a “downloader” that would then retrieve Taidoor from the internet. This tactic is used to make detection less likely and leave a smaller footprint. In 2013, researchers noted a change to Taidoor. The malware communicated with a Yahoo! Blog website instead of a traditional C2 server. The blog post web page delivers the Taidoor malware, likely a technique used to evade detection since the Yahoo! Blog is a legitimate site and would not rouse suspicion. Taidoor has been used in cyber espionage campaigns in the past, targeting government agencies, corporate entities, and think tanks. Taiwan, and nations like the U.S. with interests in Taiwan, have been especially targeted.

Reporting

  • March 2012: Attackers are using the Taidoor trojan to target think tanks and US-Taiwan interests.
  • September 2013: Taidoor uses a blog hosting platform to transmit C2 server information to compromised targets. (FireEye)

Technical Details

  • Trend Micro provides technical analysis on Taidoor from 2012, here.

One example of the Taidoor trojan. Image Source: FireEye