Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Trojan.Taidoor takes aim at policy think tanks

Created: 27 Mar 2012 12:09:20 GMT • Updated: 23 Jan 2014 18:16:33 GMT • Translations available: 日本語
Symantec Security Response's picture
+1 1 Vote
Login to vote

The Taidoor family of Trojans are at the centre of a lengthy and sustained malware campaign that’s been active for several years.  The approach used by the Taidoor attackers is the standard textbook email-based targeted attack method. When Taidoor attacks first began in 2008, the main targets were government agencies.  Over time, the focus of the attacks broadened to include a significant interest in the media, financial, telecom and manufacturing sectors too. From the recent data available to Symantec, we can see that the interest of the Taidoor attackers has shifted to “think tank” type organizations who have become the intended recipients for the vast majority of the targeted emails sent since 2011.

The attackers generally used document based vulnerabilities sent through email as attachments to compromise their intended targets. The most common document type exploited by Taidoor attacks is PDF followed closely by Word documents. In all, at least 9 different vulnerabilities have been observed in use by these attackers in the past. We should bear in mind that the vulnerabilities used are generally ones that are already publically disclosed and patched by vendors at time of use. The attackers are simply exploiting the fact that some organizations may be slow to apply patches.

Upon successful compromise of a target’s computer, the Trojan calls home to a predetermined command and control (C&C) server and await further instructions. An intriguing aspect of the Taidoor attacks is the observation of a live interactive shell session performed by a human attacker. During the short session, we saw the attacker issuing commands to check for recently used documents, what software is installed, content of the desktop, network connections and so forth. This information can then be used to discover other items of interest to the attackers. We also found that the back door connections were typically only active during certain hours of the day, indicating a regular pattern in the working hours of the attackers.

While we don’t know the identities of the people behind the Taidoor attacks, the subjects used, intended targets and working hours of the attackers gives us some clues as to who they are and where they may be operating from. Judging by the methods used and the execution of the attacks by the people behind Taidoor, we could surmise that they are not an extremely sophisticated or well funded unit, but they still continue to pose a threat to organizations.

Stephen Doherty and Piotr Krysiuk collaborated to produce a fascinating paper about the Taidoor attacks. You can read the full details of their research and the protection that we offer by downloading a copy of the paper: Trojan.Taidoor: Targeting Think Tanks.

The following infographic illustrates the main points about these attacks.