The US CISA, FBI, DoD cyber security experts: China’s state sponsored hackers are using the TAIDOOR malware to maintain a presence on victim networks and to further network exploitation. The RAT is installed as a DLL and includes 2 files
China’s state sponsored hackers are using the TAIDOOR malware, in conjunction with proxy servers, to maintain a presence on victim networks and to further network exploitation. It has been denounced by the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) cyber security experts. The malicious code is installed on a target’s system as a service dynamic link library (DLL) and is comprised of two files. The first is a loader, which is started as a service. It decrypts the second file, and executes it in memory, which is the main Remote Access Trojan (RAT). However, it does not have a function built it that enables it to persist past a system reboot. It appears from the memory dump of the infected system, it was installed as a service DLL by some other means.