Taidoor malware: what it is, how it works and how to prevent it | malware spotlight

Taidoor is the name of the last persistent threat analyzed and described by Reversing Labs team, and we’ll be using some of their in this article. Traidoor has been linked to the Chinese , and the last versions are being used along with proxy servers to create persistence on the target networks and be used on further activities. Like other malicious , this piece of needs to be stealthy to maintain its activity for large months and even years.

The new of this version of Taidoor are composed of two principal parts:

An initial loader in a DLL form The RAT main module comes as -encrypted binary data.

In detail, the Taidoor loader starts by decrypting the encrypted main module and executes the “Start” call present on the DLL Export Address Table (EAT).

Figure 1: Exported functions present on the EAT of Taidoor RAT.

Put the pieces together

By analyzing some samples of this threat, it’s possible to learn they are using the same AES key (16157E2BA6D2AE288815F7AB3C4FCF09). Nonetheless, there is an additional encryption layer in place developed by crooks responsible for configuration decryption – AES key and S-Box initialization.

Figure 2:

Read More: https://resources.infosecinstitute.com/topic/taidoor-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/