Taidoor

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Taidoor is a malicious software (malware) traditionally used as a Remote Access Trojan (RAT), associated with other malware like PITTYTIGER and ENFAL. Its primary attack vector involves phishing emails themed around military, renewable energy, or business strategy. The malware infects systems through these deceptive communications, often without the user's knowledge. Once inside, Taidoor can steal personal information and disrupt operations. Two specific files, "ml.dll" and "rasautoex.dll," have been identified as Taidoor loaders, responsible for decrypting and executing other components of the malware. In 2020, Taiwan's security authority reported cyberattacks on approximately 6,000 government officials' email accounts by two hacking groups, BlackTech and Taidoor. These groups were believed to be backed by the Chinese Communist Party. The Taidoor malware communicates with its command and control (C2) server using an encryption key that always begins with "F::". After sending this key, it expects a response of "200 OK\r\n\r\n" from the server. The "Start" function of Taidoor then initiates a process of decrypting multiple import strings to dynamically import functions from the loaded DLLs. Despite its sophisticated operation, Taidoor lacks a built-in function to persist past a system reboot. However, once it has successfully connected to its C2 server, it creates a Windows INI configuration file and copies cmd.exe into the system temp folder, thus establishing its presence within the infected system. It is crucial to note that the encrypted files loaded by "ml.dll" and "rasautoex.dll" have been identified as part of the Taidoor RAT, further highlighting the complex nature of this malware.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Chinese
Rat
Loader
Windows
Malware
Phishing
Encryption
Taiwan
Encrypt
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
BlackTechUnspecified
2
BlackTech is a threat actor, or a group responsible for carrying out malicious cyber activities. Known for its links to China, BlackTech focuses on gathering intelligence from technology and government organizations, predominantly in the Asia-Pacific region. This group has shown a high degree of sop
PittyTigerUnspecified
1
None
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Taidoor Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
10 months ago
US, Japan authorities warn of China-linked hacking group BlackTech
MITRE
a year ago
Taiwan says China behind cyberattacks on government agencies, emails
MITRE
a year ago
Advanced Persistent Threats (APTs) | Threat Actors & Groups
MITRE
a year ago
MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR | CISA