The ‘Taidoor’ virus has been dominant on the Global Cyber Space since 2008. Though the virus has been subjected to many modifications and metamorphoses, the virus has been a source of targeted cyber-attacks from its inception. According to FireEye, the present variance has been subjected to several additions and is now loaded with enhanced capabilities.
In the first week of August 2020, the US Government has claimed that this modified “Taidoor RAT” is a targeted attack on the US and has issued warning of the same. This Malware Analysis Report (MAR) released recently by the US after a thorough analysis by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) has confirmed the same. It has identified the malware variant and has also pinpointed that this virus is a product of Chinese government cyber actors.
The malicious binaries of the “Taidoor RAT” is identifiable as a x86 and x64 version of Taidoor that was first released in year 2008. Once the Taidoor is installed on a target’s system, which is a component of two files, as a service dynamic link library (DLL) file. The first file is a loader, which ensure the starting of a service. Further, the loader decrypts the second file, and executes it in memory, which is the main Remote Access Trojan (RAT).
After the file is read into memory, the DLL uses a RC4 encryption algorithm to decrypt the contents of the file.
After the loader has finished decrypting “svchost.dll”, the loader now has a decrypted version of Taidoor, which is a DLL. The loader then uses the API calls GetProcessHeap, GetProcAddress, and LoadLibrary to load the following DLLs, KERNEL32.dll, ADVAPI32.dll, and WS2_32.dll, which Taidoor will utilize.
Next, the loader looks for the export “Start” in the Taidoor DLL and executes that function.
After completing this decryption function Taidoor iterates through the System Event Log. Looking specifically for event IDs 6005 (event service started) and 6006 (event service stopped). After completing its decryption functions, Taidoor tries to connect to its C2 server. Once Taidoor and the C2 server finish the TCP handshake, Taidoor waits for at least one byte of data to be sent from the C2 server. This byte or bytes are not checked by Taidoo, anything can be sent.
After Taidoor has confirmed it has received at least one byte of data form the server, Taidoor sends a custom formatted packet over port 443. Note: this packet does not follow TLS protocol, and is easily identifiable. The initial packet sent from Taidoor to the C2 server in this case always starts with “F::” followed by the encryption key that Taidoor, and the C2 server will use to encrypt all following communications.
Once the complete execution, handshake, and establishment is complete, the port 443 is utilised but here again the test exchanged is in clear text but is obscured as if it is encrypted. The virus also has the capability to deploy in conjunction with proxy servers to maintain a presence on victim networks and to further carry out network exploitation when needed. Again, all this stealing of data and holding victims to ransom is all pointing towards China.
As per precedence, India can also, not be left out in the large-scale campaign initiated by the Chinese, especially after the fall-out of the ‘Galwan Stand-off’ that happened between India and Chine in May/Jun/Jul 2020. There seems to be no data of the systems already affected by “Taidoor RAT”. Also, the contra-action by the Chinese on the ban by India of Chinese Apps is also cause for this worry.
The malware is also known to using the spear-phishing techniques to spread among victims. Those targeted by this malware can included government agencies, corporate entities, think tanks and individuals, especially those with interests in Taiwan, Indo-US relationships and those against the agenda of the Chinese CPC and PLA.