Taidoor is not new. It “has been successfully compromising targets since 2008, and continues to be active today,” notes a new FireEye analysis. By definition, anything that has been active and successful for 5 years must have effective evasion capabilities – and this is exactly what FireEye’s report demonstrates.
“Taidoor is a constantly evolving, persistent threat,” writes Nart Villeneuve. Early and traditional versions would use a spear-phishing email with a malicious attachment. If the attachment was opened on a vulnerable system, the malware was installed. The weaponized attachment file would open as an apparently legitimate document in an early attempt to disguise the infection and evade any user concerns.
But, continued Villeneuve, “We observed significant tactical changes in 2011 and 2012, when the malicious email attachments did not drop the Taidoor malware directly, but instead dropped a ‘downloader’ that then grabbed the traditional Taidoor malware from the Internet.” The idea here would seem to be the greater likelihood of being able to hide a small downloader undetected in the attachment rather than the full malware. The downloader could then connect to the internet at a later point, and download the full malware with greater chance of success.
Now FireEye has detected a new evolution – the latest version doesn’t communicate with a traditional malicious C&C server, but with a Yahoo! Blog. The blog itself is a custom blog set up by the malware author; and the blog post is itself the malware. “The content of the blog post between the markers “ctxugfbyyxyyyxyy” and “yxyyyxyyctxugfby” is encoded with base64 and encrypted using the RC4 cipher,” explained Villeneuve. “The encryption key, which we discovered to be “asdfasdf”, is also present in the contents of the base64 blog data in an encrypted form. The decrypted content of the blog post is a DLL file – that is in fact the Taidoor malware.”
This is primarily a new evasion technique. “The idea is that the Yahoo! Blog site is legitimate and therefore will not stand out in the network traffic,” Villeneuve told Infosecurity. Quite simply, it is less likely to trigger network-based detection and is more likely to be missed by network defenders “It also allows the attackers to push Taidoor as a secondary malware payload down to the target – they can update this with new malware and new C2s if needed.”
For the moment, there seems little attempt to hide the blogs themselves. These are blogs created by the malware authors, rather than genuine blogs being compromised by the criminals. “The blogs have no posts other than the ones that contain the Taidoor binary or the the C2 information. They are created on Yahoo! Blogs by the attackers for the sole purpose of delivering malicious content,” said Villeneuve. “These are not compromised ‘good’ blogs. The posts are normal posts that are viewable when directly accessing the blogs – they are not hidden."
For the moment, it is an effective new approach to malware delivery. Even if the malicious blogs are relatively easy to find and take down, it is just as easy for the malware author to create new ones to carry on.