Government-supported actors usually conduct long-lasting activities
in cyberspace, and to simplify such continuous processes, they often
develop malicious tools with the intention of using them for a long
period of time. Like any other malicious tool, they need to be stealthy,
and when they get detected, some modifications are necessary to become
undetectable again. Sometimes it can be as simple as changing the
compromised infrastructure, while at other times creating a new version
of the tool is required. When organizations put a lot of effort into
creating a tool like that, they probably don’t plan to use it in massive
campaigns. It is expected to be used in smaller, targeted attacks;
therefore, researchers won’t have too many samples for analysis at their
disposal.
An example of such a tool is Taidoor RAT (remote
access trojan), dating all the way back to 2008, whose new version was
recently discovered and presented in a technical report
released by the US government institutions. Taidoor is described as a
Remote Access Trojan developed and used by cyber actors supported by the
Chinese government. The new version of the RAT consists of two parts – a
loader in a DLL form, and a main RAT module that comes as RC4-encrypted
binary data. The loader first decrypts the encrypted main RAT module,
and then executes its exported Start function. The report provides two
samples for both the loader and the main encrypted RAT module. These
samples come with only two C2 domains and one C2 IP.
Taidoor
As already mentioned, the Taidoor RAT consists of two parts, a loader
and the main RAT module. A few pivoting attempts on the loader samples
didn’t produce any results, so we focused on the samples of the main RAT
module. This makes sense, as they contain the malware configuration
including C2 domains and IPs.
Two samples of the main RAT
available from the threat report are encrypted with the RC4 algorithm,
and aren’t suitable for pivoting in that form. The first step is to
decrypt them and get them to their normal DLL format suitable for
metadata extraction. Publicly available tools like CyberChef
can be used to decrypt various encryption algorithms, including RC4.
Once decrypted, the DLL is processed with Titanium Platform, and its
metadata is extracted. The first thing to do is look at the files
grouped into the same buckets based on the RHA1, our functional file
similarity algorithm, for each of the samples.
Similar files grouped by RHA1 algorithm
The RHA1 algorithm reveals ten more samples dating back to 2018 and 2019. However, there are additional options for pivoting. Looking at the samples’ exports shows a specific combination of functions and original file name.