Taidoor malware: what it is, how it works and how to prevent it | malware spotlight
Taidoor is the name of the last persistent threat analyzed and described by Reversing Labs team, and we’ll be using some of their research in this article. Traidoor has been linked to the Chinese government, and the last versions are being used along with proxy servers to create persistence on the target networks and be used on further activities. Like other malicious tools, this piece of malware needs to be stealthy to maintain its activity for large months and even years.
The new updates of this version of Taidoor RAT are composed of two principal parts:
- An initial loader in a DLL form
- The RAT main module comes as RCE-encrypted binary data.
In detail, the Taidoor loader starts by decrypting the encrypted main module and executes the “Start” call present on the DLL Export Address Table (EAT).
Figure 1: Exported functions present on the EAT of Taidoor RAT.
Put the pieces together
By analyzing some samples of this threat, it’s possible to learn they are using the same AES key (16157E2BA6D2AE288815F7AB3C4FCF09). Nonetheless, there is an additional encryption layer in place developed by crooks responsible for configuration decryption - AES key and S-Box initialization.
Figure 2: AES key hardcoded inside the malicious DLL.
The next decryption process is then used to reveal the encrypted data inside the binary, including strings related to HTTP activity, C2 config, and other details about the Taidoor configuration.
Figure 3: Loading of AES decryption key after the first decryption process.
The symmetric AES key makes it possible to get the original strings hardcoded inside the malicious binary and the PDB path, as presented below.
During the analysis of different malware samples, two different PDB paths were found, namely:
These PDB paths are crucial to understanding that the samples were created in 2016 and 2017 and that this piece of malware is active for a decade without being detected by AV and EDR security solutions.
As mentioned by Reversing Labs here, the found RC4 symmetric key had been used by several samples of Taidoor RAT for several years (first seen nine years ago at least).
“A search query indeed finds 17 samples with this name, and analyzing them in disassembler shows they also have the configuration encrypted with the same “0xA1 0xA2” RC4 key.”
Figure 4: Samples of Taidoor undetected for a decade.
The C2 config was also extracted from several samples that remained undetectable and their remote servers available on the internet. Next, the list of the C2 used by Taidoor for several years in its malicious operations.
Figure 5: C2 list used by Taidoor RAT.
Taidoor's threat
Nowadays, different kinds of attacks and threats have emerged in volume and sophistication. Taidoor is one of the malicious tools that remained undetectable for a decade, avoiding detection from security solutions such as antivirus, EDR systems, network-based firewalls and SIEMs.
It’s notorious that Taidoor’s creators had something specific in mind: maintain the malware activity stealthy and FUD (fully-undetectable). In this sense, it’s crucial to apply the proper steps to mitigate infections of this nature. Below, we are going to provide some recommendations to fight, in general, threats to this line, namely:
- Use monitoring software: monitor new and existing types of malware using an antivirus or EDR system. With these kinds of software, you can prevent, defend and mitigate threats of this nature in advance.
- Keep operating systems and software updated: this is the key to success. It’s crucial to keep operating systems and other software with the latest patches applied to mitigate flaws that can be abused by threats, in general, to fully compromise assets.
- Create a cybersecurity mindset: remind users about the origin of the emails, links, attachments and more. All sources should be verified. Remember that phishing is still the most used vehicle to distribute malware over the internet.
- Enforce password policy: your old friend. Employ a firm password policy and ensure passwords are updated frequently.
Sources
Taidoor analysis, Reversing Labs
Taidoor IoCs, US-CERT
- Exam Pass Guarantee
- Live expert instruction
- Hands-on labs
- CREA exam voucher
In this Series
- Taidoor malware: what it is, how it works and how to prevent it | malware spotlight
- How AsyncRAT is escaping security defenses
- Chrome extensions used to steal users' secrets
- Luna ransomware encrypts Windows, Linux and ESXi systems
- Bahamut Android malware and its new features
- LockBit 3.0 ransomware analysis
- AstraLocker releases the ransomware decryptors
- Analysis of Nokoyawa ransomware
- Goodwill ransomware group is propagating unusual demands to get the decryption key
- Dangerous IoT EnemyBot botnet is now attacking other targets
- Fileless malware uses event logger to hide malware
- Nerbian RAT Using COVID-19 templates
- Popular evasion techniques in the malware landscape
- Sunnyday ransomware analysis
- 9 online tools for malware analysis
- Blackguard malware analysis
- Behind Conti: Leaks reveal inner workings of ransomware group
- ZLoader: What it is, how it works and how to prevent it | Malware spotlight [2022 update]
- WhisperGate: A destructive malware to destroy Ukraine computer systems
- Electron Bot Malware is disseminated via Microsoft's Official Store and is capable of controlling social media apps
- SockDetour: the backdoor impacting U.S. defense contractors
- HermeticWiper malware used against Ukraine
- MyloBot 2022: A botnet that only sends extortion emails
- Mars Stealer malware analysis
- How to remove ransomware: Best free decryption tools and resources
- Purple Fox rootkit and how it has been disseminated in the wild
- Deadbolt ransomware: The real weapon against IoT devices
- Log4j - the remote code execution vulnerability that stopped the world
- Rook ransomware analysis
- Modus operandi of BlackByte ransomware
- Emotet malware returns
- Mekotio banker trojan returns with new TTP
- Android malware BrazKing returns
- Malware instrumentation with Frida
- Malware analysis arsenal: Top 15 tools
- Redline stealer malware: Full analysis
- A full analysis of the BlackMatter ransomware
- A full analysis of Horus Eyes RAT
- REvil ransomware: Lessons learned from a major supply chain attack
- Pingback malware: How it works and how to prevent it
- Android malware worm auto-spreads via WhatsApp messages
- Malware analysis: Ragnarok ransomware
- SUNBURST backdoor malware: What it is, how it works, and how to prevent it | Malware spotlight
- ZHtrap botnet: How it works and how to prevent it
- DearCry ransomware: How it works and how to prevent it
- How criminals are using Windows Background Intelligent Transfer Service
- How the Javali trojan weaponizes Avira antivirus
- HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
- DreamBus Botnet: An analysis
- Kobalos malware: A complex Linux threat
- What is Operation Dream Job by Lazarus?
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Malware analysis
Malware analysis
Malware analysis
Malware analysis