Skip to main content

Taidoor Remote Access Trojan

Taidoor is a sophisticated RAT used by several APT groups believed to be associated with the Chinese government or military. First seen in the wild in 2008 in attacks throughout Eastern Asia, it has begun to be seen in campaigns in Europe, Canada, and the USA.

Threat ID:
CC-3589
Category:
Trojan
Threat Severity:
Medium
Threat Vector:
Published:
6 August 2020 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Taidoor is a sophisticated RAT used by several APT groups believed to be associated with the Chinese government or military. First seen in the wild in 2008 in attacks throughout Eastern Asia, it has begun to be seen in campaigns in Europe, Canada, and the USA.

Affected platforms

The following platforms are known to be affected:

Versions: all

Microsoft Windows

Threat details

Introduction

First observed in 2008, Taidoor is an advanced remote access trojan (RAT) associated with a number of advanced persistent threat groups affiliated with the Chinese government. Historically used in campaigns against engineering, financial, and government organisations throughout East and Southeast Asia; however, it is how begun appear in attacks against similar organisations in Western Europe and North America.

Delivery

At the time of publication, it is unclear how Taidoor is initially delivered to target systems; however, reports confirm that it is delivered as an encrypted DLL file and an associated loader module. This loader will decrypt the DLL containing Taidoor proper before loading it directly into memory.

Activities

Taidoor is a full fledged RAT able to deliver secondary payloads, exfiltrate files, or execute commands and applications. Whilst it is not currently clear how Taidoor is being deployed, there is evidence to suggest it is used as a foothold in target networks, allowing the groups access to them for reconnaissance and propagation before acting as a first-stage loader for additional payloads.

Threat updates

Date Update
13 Aug 2020 APT groups identified

Both APT17 and Deep Panda have been identified as groups using Taidoor historically.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that the NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Network indicators

IP addresses

  • 119[.]28[.]232[.]60
  • 210[.]68[.]69[.]82
  • 35[.]200[.]168[.]117
  • 47[.]52[.]90[.]176
  • 202[.]142[.]153[.]154
  • 80[.]149[.]239[.]139
  • 202[.]142[.]172[.]131
  • 112[.]217[.]74[.]188
  • 201[.]159[.]226[.]189
  • 202[.]251[.]249[.]222
  • 202[.]40[.]188[.]10
  • 203[.]114[.]103[.]58
  • 203[.]116[.]147[.]94
  • 203[.]146[.]189[.]141
  • 203[.]146[.]189[.]160
  • 203[.]150[.]231[.]236
  • 203[.]90[.]100[.]21
  • 210[.]65[.]11[.]11
  • 211[.]22[.]72[.]193
  • 211[.]35[.]222[.]6
  • 213[.]50[.]91[.]196
  • 216[.]139[.]109[.]156
  • 222[.]101[.]218[.]86
  • 58[.]40[.]20[.]165
  • 60[.]248[.]216[.]194
  • 60[.]249[.]219[.]82
  • 60[.]250[.]39[.]73
  • 61[.]218[.]233[.]51
  • 61[.]222[.]190[.]100
  • 61[.]222[.]205[.]180
  • 62[.]13[.]61[.]173
  • 63[.]135[.]55[.]13
  • 64[.]34[.]60[.]218
  • 69[.]178[.]171[.]135
  • 85[.]43[.]157[.]110

Domains

  • cnaweb[.]mrslove[.]com
  • braintrust[.]almostmy[.]com
  • facebook[.]trickip[.]net
  • kllserver[.]serveftp[.]com
  • klserver[.]servehttp[.]com
  • mac[.]gov[.]skies[.]tw
  • nscnet[.]gov[.]medicare[.]tw
  • opp[.]gov[.]taiwans[.]tw
Host indicators

MD5 hashes

  • 0998743b808b57f6707641be64fa4fcd
  • 1de1a60f51829e5e0d30dfd4b5197a72
  • 20db3ff24701f4adac3cc61b591b6c98
  • 265785ccc9503d30465156b90afa2523
  • 2d33005a26a9cb2063dde2fa179b453e
  • 454c9960e89d02e4922245efb8ef6b49
  • 4a1365bdef0773aa0d3d33877d5a5334
  • 4b92f9b403fa59a35edf5af2f1aa98fb
  • 5dd13efe319f0cdfe75346a46c1b791b
  • 5eb86d098a5ab48c7173545829008636
  • 5efc35315e87fdc67dada06fb700a8c7
  • 5fd848000d68f45271a0e1abd5844493
  • 608bae3e4a59e4954f9bf43e504e2340
  • 65a0716af402727247296649abda7be6
  • 6703dd35f6f56f35d298b9cd4c73e9cb
  • 6b5ca357066b40def382a1e130fb87cb
  • 7488ffd5d9c1751d1ceca88a4231304b
  • 7f82c77a1f1b36f392f2f1763e2cc119
  • 811aae1a66f6a2722849333293cbf9cd
  • 8406c1ae494add6e4f0e78b476fb4db0
  • 85c64f43de8cb83234ee21fb0234f256
  • 920a7857da9ee7b403f3077660eddf31
  • 95bfeb4b7b8edb2517ede938bf9791d9
  • 97ff2338e568fc382d41c30c31f89720
  • a0fff659499a4a76af2b89d28d0eafa2
  • ac75e62b36f4e845c1a095c9bcc43896
  • b80da571f2cd7eab4aec12eee8199289
  • bc69a262bcd418d194ce2aac7da47286

SHA256 hashes

  • 0d0ccfe7cd476e2e2498b854cef2e6f959df817e52924b3a8bcdae7a8faaa686
  • 1c79fccfc7040f9b4864b6b9d99b2bcd25b1ee91d dac9df97c16159968c498a7
  • 363ea096a3f6d06d56dc97ff1618607d462f366139df70c88310bbf77b9f9f90
  • 4a0688baf9661d3737ee82f8992a0a665732c91704f28688f643115648c107d4
  • 6e6d3a831c03b09d9e4a54859329fbfd428083f8f5bc5f27abbfdd9c47ec0e57
  • 7ed26fdb2b6a41f3ce0b8e270c93de6c9b6f7c3a 9e2cd3433eb41d8840dee
  • dd404e8bea3a679106eda97dca00c0f0f27802b45 9af0a18cb19da176978b7e4

Last edited: 13 August 2020 11:15 am