rule CISA_10292089_01 : rat loader TAIDOORĭescription = "Detects Taidoor Rat Loader samples".The loader then uses the API calls GetProcessHeap, GetProcAddress, and LoadLibrary to load the following DLLs, KERNE元2.dll, ADVAPI32.dll, and WS2_32.dll, which Taidoor will utilize. The RC4 key used for decryption is, “ar1z7d6556sAyAXtUQc2”.Īfter the loader has finished decrypting “svchost.dll”, the loader now has a decrypted version of Taidoor, which is a DLL. After the file is read into memory, the DLL uses a RC4 encryption algorithm to decrypt the contents of the file. If that file is located, the DLL will read “svchost.dll” into memory. The “MyStart” function looks for the file name “svchost.dll” in its running directory. The file utilizes the export function called “MyStart” to decrypt and load “svchost.dll” (8CF683B7D181591B91E145985F32664C), which was identified as Taidoor malware. The loader decrypts the second file, and executes it in memory, which is the main Remote Access Trojan (RAT).įor a downloadable copy of IOCs, see MAR-10292089-1.v2.stix. The first file is a loader, which is started as a service. Taidoor is installed on a target’s system as a service dynamic link library (DLL) and is comprised of two files. Malicious binaries identified as a x86 and 圆4 version of Taidoor were submitted for analysis. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation. This MAR includes suggested response actions and recommended mitigation techniques. CISA, FBI, and DoD are distributing this MAR to enable network defense and reduce exposure to Chinese government malicious cyber activity. For more information on Chinese malicious cyber activity, please visit https//FBI has high confidence that Chinese government actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. Government partners, CISA, FBI, and DoD identified a malware variant used by Chinese government cyber actors, which is known as TAIDOOR. This Malware Analysis Report (MAR) is the result of analytic efforts between the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD).