1. Home
  2. Software
  3. Taidoor

Taidoor

Taidoor is a remote access trojan (RAT) that has been used by Chinese government cyber actors to maintain access on victim networks.[1] Taidoor has primarily been used against Taiwanese government organizations since at least 2010.[2]

ID: S0011
Type: MALWARE
Platforms: Windows
Version: 2.1
Created: 31 May 2017
Last Modified: 10 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1005 从本地系统获取数据

Taidoor can upload data and files from a victim's machine.[2]
Enterprise T1112 修改注册表

Taidoor has the ability to modify the Registry on compromised hosts using RegDeleteValueA and RegCreateKeyExA.[1]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

Taidoor uses RC4 to encrypt the message body of HTTP content.[2][1]
Enterprise T1140 反混淆/解码文件或信息

Taidoor can use a stream cipher to decrypt stings used by the malware.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Taidoor has modified the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key for persistence.[2]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

Taidoor can copy cmd.exe into the system temp folder.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

Taidoor has used HTTP GET and POST requests for C2.[2]
Enterprise T1083 文件和目录发现

Taidoor can search for specific files.[1]
Enterprise T1106 本机API

Taidoor has the ability to use native APIs for execution including GetProcessHeap, GetProcAddress, and LoadLibrary.[2][1]
Enterprise T1012 查询注册表

Taidoor can query the Registry on compromised hosts using RegQueryValueExA.[1]
Enterprise T1027 .013 混淆文件或信息: Encrypted/Encoded File

Taidoor can use encrypted string blocks for obfuscation.[1]
Enterprise T1204 .002 用户执行: Malicious File

Taidoor has relied upon a victim to click on a malicious email attachment.[2]
Enterprise T1070 .004 移除指标: File Deletion

Taidoor can use DeleteFileA to remove files from infected hosts.[1]
Enterprise T1124 系统时间发现

Taidoor can use GetLocalTime and GetSystemTime to collect system time.[1]
Enterprise T1016 系统网络配置发现

Taidoor has collected the MAC address of a compromised host; it can also use GetAdaptersInfo to identify network adapters.[2][1]
Enterprise T1105 输入工具传输

Taidoor has downloaded additional files onto a compromised host.[2]
Enterprise T1057 进程发现

Taidoor can use GetCurrentProcessId for process discovery.[1]
Enterprise T1055 .001 进程注入: Dynamic-link Library Injection

Taidoor can perform DLL loading.[2][1]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

Taidoor has been delivered through spearphishing emails.[2]
Enterprise T1095 非应用层协议

Taidoor can use TCP for C2 communications.[1]

References

  1. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021.
  1. Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014.