Taidoor is the name of the last persistent threat analyzed and described by Reversing Labs team, and we’ll be using some of their research in this article. Traidoor has been linked to the Chinese government, and the last versions are being used along with proxy servers to create persistence on the target networks and be used on further activities. Like other malicious tools, this piece of malware needs to be stealthy to maintain its activity for large months and even years.
The new updates of this version of Taidoor RAT are composed of two principal parts:
An initial loader in a DLL form The RAT main module comes as RCE-encrypted binary data.
In detail, the Taidoor loader starts by decrypting the encrypted main module and executes the “Start” call present on the DLL Export Address Table (EAT).
Figure 1: Exported functions present on the EAT of Taidoor RAT.
Put the pieces together
By analyzing some samples of this threat, it’s possible to learn they are using the same AES key (16157E2BA6D2AE288815F7AB3C4FCF09). Nonetheless, there is an additional encryption layer in place developed by crooks responsible for configuration decryption – AES key and S-Box initialization.