Published: FR12-008 – “Team Taidoor” with updated TTP

FR12-008 details targeted spear-phishing aimed at a Red Sky member. Red Sky is tracking this group of attackers under the name Team Taidoor.  Interestingly enough, Taidoor has been reported in open source for at least a year. FR12-008 includes a compiled list of more than 150 “Team Taidoor” indicators, with referencing in Kill Chain format, and details of what is believed to be a new downloader and possible updated team TTP. Red Sky analysts also crafted SNORT signatures to detect on the new downloader as well as the Taidoor variant.

Another interesting characteristic of Team Taidoor is their continued and persistent targeting of specific individuals. If at first you don’t succeed, try, try, again! Symantec reported the targeting of one individual, referred to as “Mr. X” who received over 20 emails originating from Taidoor actors during 2011. Another source reports a Taidoor target as being the recipient of over 175 malicious emails over the course of 2010 and 2011.