Taidoor

Malware updated a month ago (2024-11-29T13:53:53.247Z)
Download STIX
Preview STIX
Taidoor is a malicious software (malware) traditionally used as a Remote Access Trojan (RAT), associated with other malware like PITTYTIGER and ENFAL. Its primary attack vector involves phishing emails themed around military, renewable energy, or business strategy. The malware infects systems through these deceptive communications, often without the user's knowledge. Once inside, Taidoor can steal personal information and disrupt operations. Two specific files, "ml.dll" and "rasautoex.dll," have been identified as Taidoor loaders, responsible for decrypting and executing other components of the malware. In 2020, Taiwan's security authority reported cyberattacks on approximately 6,000 government officials' email accounts by two hacking groups, BlackTech and Taidoor. These groups were believed to be backed by the Chinese Communist Party. The Taidoor malware communicates with its command and control (C2) server using an encryption key that always begins with "F::". After sending this key, it expects a response of "200 OK\r\n\r\n" from the server. The "Start" function of Taidoor then initiates a process of decrypting multiple import strings to dynamically import functions from the loaded DLLs. Despite its sophisticated operation, Taidoor lacks a built-in function to persist past a system reboot. However, once it has successfully connected to its C2 server, it creates a Windows INI configuration file and copies cmd.exe into the system temp folder, thus establishing its presence within the infected system. It is crucial to note that the encrypted files loaded by "ml.dll" and "rasautoex.dll" have been identified as part of the Taidoor RAT, further highlighting the complex nature of this malware.
Description last updated: 2024-05-04T21:22:58.501Z
What's your take? (Question 1 of 0)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The BlackTech Threat Actor is associated with Taidoor. BlackTech, a China-linked Advanced Persistent Threat (APT) group, poses a significant cybersecurity threat due to its sophisticated and covert hacking activities. As a threat actor, BlackTech's operations involve executing actions with malicious intent, which can be attributed to individuals, privatUnspecified
2
Source Document References
Information about the Taidoor Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more