Chinese Remote Access Trojan : TAIDOOR

Noel

Working with U.S. Government partners, FBI, and DoD identified a malware variant used by Chinese government cyber actors, which is known as TAIDOOR.

FBI has high confidence that Chinese government actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. CISA, FBI, and DoD are distributing this information to enable network defense and reduce exposure to Chinese government malicious cyber activity.

While traditional signature and heuristic based endpoint protection require an update to detect and respond to this type of zero-day malware, our 24×7 threat hunting team catch C2 remote access trojans by state-of-the-art inspection of your system logs through multiple Security Information Event Management systems (SIEMs).

Find out more about what makes our security different:

 

This MAR includes suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.

Malicious binaries identified as a x86 and x64 version of Taidoor were submitted for analysis. Taidoor is installed on a target’s system as a service dynamic link library (DLL) and is comprised of two files. The first file is a loader, which is started as a service. The loader decrypts the second file, and executes it in memory, which is the main Remote Access Trojan (RAT).

Files :

0d0ccfe7cd476e2e2498b854cef2e6f959df817e52924b3a8bcdae7a8faaa686 (svchost.dll)

363ea096a3f6d06d56dc97ff1618607d462f366139df70c88310bbf77b9f9f90 (svchost.dll)

4a0688baf9661d3737ee82f8992a0a665732c91704f28688f643115648c107d4 (ml.dll)

6e6d3a831c03b09d9e4a54859329fbfd428083f8f5bc5f27abbfdd9c47ec0e57 (rasautoex.dll)

Domains : 

cnaweb.mrsl####.com (Domain obfuscated for link protection)