Taidoor

Taidoor is a malicious software (malware) traditionally used as a Remote Access Trojan (RAT), associated with other malware like PITTYTIGER and ENFAL. Its primary attack vector involves phishing emails themed around military, renewable energy, or business strategy. The malware infects systems through these deceptive communications, often without the user's knowledge. Once inside, Taidoor can steal personal information and disrupt operations. Two specific files, "ml.dll" and "rasautoex.dll," have been identified as Taidoor loaders, responsible for decrypting and executing other components of the malware. In 2020, Taiwan's security authority reported cyberattacks on approximately 6,000 government officials' email accounts by two hacking groups, BlackTech and Taidoor. These groups were believed to be backed by the Chinese Communist Party. The Taidoor malware communicates with its command and control (C2) server using an encryption key that always begins with "F::". After sending this key, it expects a response of "200 OK\r\n\r\n" from the server. The "Start" function of Taidoor then initiates a process of decrypting multiple import strings to dynamically import functions from the loaded DLLs. Despite its sophisticated operation, Taidoor lacks a built-in function to persist past a system reboot. However, once it has successfully connected to its C2 server, it creates a Windows INI configuration file and copies cmd.exe into the system temp folder, thus establishing its presence within the infected system. It is crucial to note that the encrypted files loaded by "ml.dll" and "rasautoex.dll" have been identified as part of the Taidoor RAT, further highlighting the complex nature of this malware.