Trojan.Taidoor: Balancing the Scales

Contributor: Jeet Morparia

A few weeks ago, we wrote about the Oracle Java Runtime Environment Remote Code Execution Vulnerability (CVE-2012-4681) being used in a targeted attack campaign by the Nitro attackers. Recently, we have discovered another group exploiting this vulnerability in the wild: the Taidoor attackers.

The Taidoor attackers began utilizing the vulnerability when the proof of concept (POC) began to circulate. On August 28, we discovered the malicious file Ok.jar (Trojan.Maljava!gen24) exploiting the CVE-2012-4681 vulnerability. If successfully exploited, an executable payload, Javaupdate.exe, will be dropped which opens a back door on a compromised computer. This is Trojan.Taidoor.
 

Figure 1. Code snippet from Ok.jar
 

This was the first time we saw the Taidoor attackers utilizing a zero-day vulnerability (patched by Oracle Aug 30). In the past these attackers have—as Symantec notes in our Taidoor whitepaper—relied on known, patched vulnerabilities, hoping to target computers with unpatched software.
 

Figure 2. Balancing the scales – Taidoor adds zero-day vulnerability
 

In addition to using the zero-day Java vulnerability, we also observed the attackers attempting to socially engineer their targets without the aid of software vulnerabilities. Targets are enticed through email about damage caused by Typhoon Libra (a major storm that swept across East and Southeast Asia during late August). This particular campaign spoke about damage inflicted to the island of Lanyu:
 

Figure 3. Email with malicious file attached
 

Email (translation):

Lanyu is devastated, having the worst disaster in its history.

Although the typhoon "Libra" is moving away from Taiwan, the whole island of Lanyu lays ruined after the level17 gust brought by "Libra". The gust has totally blown down the island's only supermarket, the only gas station, as well as some other buildings. Many public facilities are almost completely destroyed. The entire island is still currently blacked out. The islanders are in urgent need of the support from outside. This is the most serious disaster in the island’s history.

The email contains a .zip file attachment. Inside this attached file are images that demonstrate the impact the typhoon had on the island—actual images found on the Internet. In addition to the images, however, there is an .scr file, which the attackers hope goes unnoticed so that the file will be opened (just like the image files) and then executed. Once the .scr file is executed, it drops a version of Trojan.Taidoor on the computer while it continues its ruse by displaying another image to the user. Symantec protects users by detecting the .scr file as Trojan.Dropper.

Adding an unpatched vulnerability as a method of attack is a first for the Taidoor attackers and an interesting development. Does this mean that they will start to routinely leverage zero-day vulnerabilities going forward? Unlike the Elderwood Project, we do not believe the attackers behind Taidoor have their own zero-day vulnerabilities available. However, they have definitely balanced the scales with this new development.