Taidoor is a highly efficient remotes access trojan (RAT) virus program that is designed to be used without sticking to the system. With the help of the modular system implemented in Taidoor, it is possible to deliver to the infected area only those modules that are necessary to achieve the goals of a particular attack. In this article, we will analyze how to work effectively with Taidoor.
To complicate detection, Taidoor uses various methods: manipulating time stamps, deleting files with modules, obfuscating strings, searching for antivirus programs on the attacked computer, etc.
Taidoor in a hacker's arsenal
Two independent modules collect all the necessary information about the infected system. If necessary, additional modules can be sent from the management server.
With the help of the cryptocurrency RSA + AES used in Taidoor, secrecy is ensured when working with the control server. From the point of view of the implementation of the program, the cryptography in it is not very good. When capturing traffic, you need to use commands from the server. In addition, there is a vulnerability in this algorithm that allows decrypting the received information sent to the server.
Taidoor Downloaders
The main Taidoor downloaders are rasautoex.dll and ml.dll, which have identical functionality. They differ only in bit depth: the first is the 64-bit version of the malware, the second is the 32-bit version. Their properties are shown in Table 1.
Tab. 1. Properties of Taidoor loaders
Bootloader capabilities
The file is rasautoex.dll designed to load the main part of Taidoor into system memory. It can be started by calling the exported function MyStart, or registered as a service as the exported function shows ServiceMain.
How it behaves in the system
When launched, the loader looks in the same directory for a file svchost.dll encrypted with the Taidoor body text. Having found the required file, the loader does the following:
Indicator of Compromise (IoC)
Line: ar1z7d6556sAyAXtUQc2
Body Taidoor
The main encrypted body of Taidoor is presented in the form of one of the files svchost.dll, which differ in bitness. Their properties are described in table. 2.
Tab. 2. File properties of the main body of Taidoor:
The MD5 ending hash file7edd contains the encrypted 64-bit version of the program. In a file with a hash MD5 ending in 2664c, it is 32-bit. The files are almost identical, but contain different addresses for the management servers.
Further, we will talk about the study of the 64-bit version.
General characteristics of Taidoor
The sample under study is an encrypted malicious library launched by a separate program described above.
When launched with rundll32 Taidoor, it checks encrypted settings saved outside the body of the program, in a parameter RValue in the registry key. SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion. If they are missing or in a different release type, the program uses the default settings saved in your body.
Taidoor further decrypts the settings, which include the following data:
If a proxy isinstalled in the program settings, the program tries to access the control server through it. Taidoor sends one encrypted RSA packet that contains an identifier and waits for a response from the server. After a successful attempt, the program creates the file % ALLUSERSPROFILE% \ Application Data \ Microsoft \ ~ svc_.TMp - perhaps this is an indicator of a successful infection, which prevents Taidoor from restarting.
After the main loop ends, the program creates two plugins: one for collecting system data, the second for creating processes and working with the command line.
The program then starts a tapping loop on a separate thread, where it communicates with the C&C server every 10 seconds. In the main thread, the program begins a cycle of receiving commands from the server. Crypto conversion is RSA + AES used when sending messages to the server. A separate key is generated for each message AES.
Here are the actions an attacker can perform on an infected system using Taidoor in its basic configuration (the main module and two built-in plugins):
The id of each Taidoor plugin is found at the beginning of every post. Thus, it allows the program operator to direct commands to specific plugins or separate sources of information and to distinguish between message sources from the program (main module and specific plugins). The following identifiers are used by default:
Taidoor loads external plugins in the form of dynamic libraries on command from the management server. Each plugin has three exported functions:
Taidoor employs all sorts of techniques to make it difficult to detect and investigate an attack:
Initializing Taidoor
Before installation, the module must go through the decryption procedure - this is done by a special bootloader, which was described above. When the exported function Startis called, the execution of the sample itself begins.
In order to avoid manual revision of the program and its subsequent debugging, a mechanism is used that prevents manual debugging, during which the program:
Once launched, Taidoor prevents manual debugging with a primitive function.
Further, the program itself imports all the necessary functions with the exception of LoadLibrary and GetProcAddress.
Taidoor calls a few more harmless and meaningless functions (Figure 1), most likely to defend against detection.
An example of a useless function used by Taidoor.
After that, the malware launches the main function in a new thread. Some of the strings of the malware (for example, the name of the imported functions) are obfuscated using a non-standard stream cipher to make detection more difficult. Strings are deobfuscated just before use.
Communication with the management server
Before the start of each of the main cycles, Taidoor checks the name of the application launched by the malicious program for the presence of a connection string to the command and control server.
Taidoor then tries to connect to the management server. The connection parameters obtained earlier can contain up to 4 server addresses and up to 3 ports per server. You can also specify the HTTP proxy address and port. The sample under test specifies the management server and port, while the 32-bit version specifies two management servers and a port for each.
The connection takes place according to the following algorithm:
Time stamps
Before connecting to the management server, Taidoor opens the system event log and starts reading the records one by one. The program pays special attention to the records of the types 6005(" Start of the event log service") and 6006(" End of the event log service") - they can be used to determine the time during which the machine was started and worked. In the case under consideration, these data are skipped, but the program does not use them.
After connecting to the server, the program creates a file %ALLUSERSPROFILE%\\Application Data\\Microsoft\\~svc_.TMp and also updates its timestamps. Then the program checks the file C:\Windows\win.ini for the presence of a section Micros with a key source. If the key is present, the utility is cmd.exe copied to the address specified in the key (the address is indicated in the CISA report c:\temp\cmd.exe).
The main module
If the first byte of the buffer decrypted by the server contains 1, the rest of the buffer is processed by Taidoor itself. Individual commands can set or use global variables. Here are the most important ones:
The first byte of the remainder of the buffer sent for processing identifies one of the commands. Teams can control the connection of malware to the server, update its settings, upload and download plugins, and perform other malicious actions.
Complete list of commands
Part of the file open handler
Taidoor initializes two built-in plugins:
This is how the process of loading a new plug-in looks like (the function is shown in Fig. 3):
Plugin loading function.
Each module can be deinitialized to make room for another.
When receiving a command from the management server, Taidoor checks the first byte that indicates the destination: the command can be sent either to the main module or to one of the plugins. After the command has been passed to the plugin, the rest of the message text is passed to the proxy functions plugin.
The function of periodic login to the server starts after activating Taidoor plugins. In this function, the program sends a message \ x01 \ xff to the C&C server every 10 seconds.
All requests to the server hereinafter are created according to the following algorithm:
Connecting plugins to the management server
To receive commands from the management server, the malware must enable plugins. The sequence of actions of the malware depends on the commands it receives.
If an error occurs while receiving data from the server, the program terminates the connection and waits for as long as specified in the parameters (in the example under study, this is 1 second), then tries to connect to the new server.
If the server responded with an empty message, the program will remember this. If the server responded in this way 300 times in a row, the program terminates the connection for the time specified in the parameters (in this example, it is 30 minutes), and then tries to establish the connection again.
If the size of the message from the server is greater than or equal to 256 bytes, then the program acts according to the following algorithm:
Plugin capabilities
The integrated module MyPlugCmd is designed to start processes and send commands from the console. During startup, it is passed a parameter that can be saved to a file C: \ Windows \ win.ini.This parameter specifies a copy cmd.exe that is used to make it difficult to find the program.
The module stores several variables in its body. The most important ones are:
It is also worth noting that the "shell" variable stores information about the running console process, which is needed to write to the input stream of this process and receive data from the output stream.
Complete list of commands executed by the MyPlugCmd module
The integrated module MyPlugInfo can collect and send information about IP addresses and MAC addresses of network interfaces, current process ID and infection IDs to the server . He also knows how to execute command 11 from the main handler.
Commands with identifiers
Indicators of Compromise (IoC) of both variants of svchost.dll
Output
The attacker sees Taidoor as a target, a handy entry-level remote control tool with many dynamic expansion options. At the same time, the malware has a user-friendly interface to launch processes and interact with the console.
To be continued…
To complicate detection, Taidoor uses various methods: manipulating time stamps, deleting files with modules, obfuscating strings, searching for antivirus programs on the attacked computer, etc.
Taidoor in a hacker's arsenal
Two independent modules collect all the necessary information about the infected system. If necessary, additional modules can be sent from the management server.
With the help of the cryptocurrency RSA + AES used in Taidoor, secrecy is ensured when working with the control server. From the point of view of the implementation of the program, the cryptography in it is not very good. When capturing traffic, you need to use commands from the server. In addition, there is a vulnerability in this algorithm that allows decrypting the received information sent to the server.
Taidoor Downloaders
The main Taidoor downloaders are rasautoex.dll and ml.dll, which have identical functionality. They differ only in bit depth: the first is the 64-bit version of the malware, the second is the 32-bit version. Their properties are shown in Table 1.
Tab. 1. Properties of Taidoor loaders
Bootloader capabilities
The file is rasautoex.dll designed to load the main part of Taidoor into system memory. It can be started by calling the exported function MyStart, or registered as a service as the exported function shows ServiceMain.
How it behaves in the system
When launched, the loader looks in the same directory for a file svchost.dll encrypted with the Taidoor body text. Having found the required file, the loader does the following:
- Loads the contents of a file into memory.
- Decrypts the file using the RC4 algorithm on a key ar1z7d6556sAyAXtUQc2. In decrypted form, it svchost.dllis a 64-bit library. In the case of a 32-bit loader (ml.dll), the library with the Taidoor body is, accordingly, 32-bit.
- Maps the library in memory.
- Finds and fills in the addresses of all imported functions.
- Finds the address of the function exported from the library Start. If such a function is found, calls it.
Indicator of Compromise (IoC)
Line: ar1z7d6556sAyAXtUQc2
Body Taidoor
The main encrypted body of Taidoor is presented in the form of one of the files svchost.dll, which differ in bitness. Their properties are described in table. 2.
Tab. 2. File properties of the main body of Taidoor:
The MD5 ending hash file7edd contains the encrypted 64-bit version of the program. In a file with a hash MD5 ending in 2664c, it is 32-bit. The files are almost identical, but contain different addresses for the management servers.
Further, we will talk about the study of the 64-bit version.
General characteristics of Taidoor
The sample under study is an encrypted malicious library launched by a separate program described above.
When launched with rundll32 Taidoor, it checks encrypted settings saved outside the body of the program, in a parameter RValue in the registry key. SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion. If they are missing or in a different release type, the program uses the default settings saved in your body.
Taidoor further decrypts the settings, which include the following data:
- management server addresses (domains or IP addresses and ports);
- proxy server address (optional);
- waiting settings (time to reconnect to the server in different situations);
- public RSA key of the server.
If a proxy isinstalled in the program settings, the program tries to access the control server through it. Taidoor sends one encrypted RSA packet that contains an identifier and waits for a response from the server. After a successful attempt, the program creates the file % ALLUSERSPROFILE% \ Application Data \ Microsoft \ ~ svc_.TMp - perhaps this is an indicator of a successful infection, which prevents Taidoor from restarting.
After the main loop ends, the program creates two plugins: one for collecting system data, the second for creating processes and working with the command line.
The program then starts a tapping loop on a separate thread, where it communicates with the C&C server every 10 seconds. In the main thread, the program begins a cycle of receiving commands from the server. Crypto conversion is RSA + AES used when sending messages to the server. A separate key is generated for each message AES.
Here are the actions an attacker can perform on an infected system using Taidoor in its basic configuration (the main module and two built-in plugins):
- save files to disk,
- change the settings for connecting to the management server,
- load new modules,
- replace timestamps for files,
- start processes and receive their results,
- interact with the command line.
The id of each Taidoor plugin is found at the beginning of every post. Thus, it allows the program operator to direct commands to specific plugins or separate sources of information and to distinguish between message sources from the program (main module and specific plugins). The following identifiers are used by default:
- 1 - main module;
- 2 - plugin for starting processes and working with the command line;
- 3 - plugin for more information about the system.
Taidoor loads external plugins in the form of dynamic libraries on command from the management server. Each plugin has three exported functions:
- Install - initialization of the plugin and return of the plugin identifier;
- Proxy - sending a message from the server to the plugin;
- Uninstall - plugin deinitialization.
Taidoor employs all sorts of techniques to make it difficult to detect and investigate an attack:
- A copy can be used instead of the original file cmd.exe.
- The timestamps of the infection indicator %ALLUSERSPROFILE%\\Application Data\\Microsoft\\~svc_.TMpare replaced with the timestamps of the system file C:\Windows\System32\services.exe, which makes it difficult to determine the date of infection.
- The loaded plugin files are deleted after launch.
- Before the start of the processes, the plug-in checks whether the attacked machine has Kaspersky antivirus.
Initializing Taidoor
Before installation, the module must go through the decryption procedure - this is done by a special bootloader, which was described above. When the exported function Startis called, the execution of the sample itself begins.
In order to avoid manual revision of the program and its subsequent debugging, a mechanism is used that prevents manual debugging, during which the program:
- counts how many seconds in time from 0 to 60 should be in 10 seconds;
- starts a loop, waits 10 seconds at each iteration until it gets the expected value.
Once launched, Taidoor prevents manual debugging with a primitive function.
Further, the program itself imports all the necessary functions with the exception of LoadLibrary and GetProcAddress.
Taidoor calls a few more harmless and meaningless functions (Figure 1), most likely to defend against detection.
An example of a useless function used by Taidoor.
After that, the malware launches the main function in a new thread. Some of the strings of the malware (for example, the name of the imported functions) are obfuscated using a non-standard stream cipher to make detection more difficult. Strings are deobfuscated just before use.
Communication with the management server
Before the start of each of the main cycles, Taidoor checks the name of the application launched by the malicious program for the presence of a connection string to the command and control server.
- If the standard utility was used rundll32.exe, the program tries to load the parameters for connecting to the server from the parameter RValue of the registry keySOFTWARE \ Microsoft \ Windows NT \ CurrentVersion.
- If the library was started in another way or the parameter RValuedoes not exist, the settings are taken from the Taidoor body.
Taidoor then tries to connect to the management server. The connection parameters obtained earlier can contain up to 4 server addresses and up to 3 ports per server. You can also specify the HTTP proxy address and port. The sample under test specifies the management server and port, while the 32-bit version specifies two management servers and a port for each.
The connection takes place according to the following algorithm:
- The program takes the address and port from the configuration. If the configuration contains proxy server parameters, the program tries to connect to it.
- The program connects to the management server or issues the appropriate command to the proxy server (if there are proxy parameters and a successful connection to it).
- The program sends an array of 263 characters to the management server, where: the first 3 characters are a fixed string F::; the next 4 are the number of milliseconds that elapsed between the system start and the program start; the remaining 256 are a string 0x040x230x190x340xfe0xc1encrypted using an algorithm RSA_PKCS1v1.5using a cryptographically strong pseudo-random number generator (PRNG).
- In response, the program expects a line 200 OK\r\n\r\n: When the program receives such a response, the phase of connecting to the server ends . If the program does not receive the expected response, then it tries to connect to the next server specified in the parameters. If it fails to connect to any of them, the program sleeps for the specified time period (in this sample - 30 minutes), then repeats the cycle described above.
Time stamps
Before connecting to the management server, Taidoor opens the system event log and starts reading the records one by one. The program pays special attention to the records of the types 6005(" Start of the event log service") and 6006(" End of the event log service") - they can be used to determine the time during which the machine was started and worked. In the case under consideration, these data are skipped, but the program does not use them.
After connecting to the server, the program creates a file %ALLUSERSPROFILE%\\Application Data\\Microsoft\\~svc_.TMp and also updates its timestamps. Then the program checks the file C:\Windows\win.ini for the presence of a section Micros with a key source. If the key is present, the utility is cmd.exe copied to the address specified in the key (the address is indicated in the CISA report c:\temp\cmd.exe).
The main module
If the first byte of the buffer decrypted by the server contains 1, the rest of the buffer is processed by Taidoor itself. Individual commands can set or use global variables. Here are the most important ones:
- <file_name>;
- <file_descriptor>;
- <identifier>;
- <global_array>;
- <additional_file_name>;
- <additional_file_descriptor>.
The first byte of the remainder of the buffer sent for processing identifies one of the commands. Teams can control the connection of malware to the server, update its settings, upload and download plugins, and perform other malicious actions.
Complete list of commands
Part of the file open handler
Taidoor initializes two built-in plugins:
- MyPlugCmd - for executing commands on the machine. The path where the copy is located is passed as one of the arguments during initialization cmd.exe. If the required key is win.ininot found or the copying fails, an empty string is passed.
- MyPlugInfo - to get basic information about the infected machine.
This is how the process of loading a new plug-in looks like (the function is shown in Fig. 3):
- The library is loaded into memory.
- The program checks the plugin for the following exported functions: Install,Uninstall,Proxy.
- Softina calls the function Install, transfers information about the connection to the control server to it. The Installvalue obtained from is set as the identifier .
- After initialization, the module is added to the plugins array, and if the file name matches the schema uaq*.dll, the file is removed.
Plugin loading function.
Each module can be deinitialized to make room for another.
When receiving a command from the management server, Taidoor checks the first byte that indicates the destination: the command can be sent either to the main module or to one of the plugins. After the command has been passed to the plugin, the rest of the message text is passed to the proxy functions plugin.
The function of periodic login to the server starts after activating Taidoor plugins. In this function, the program sends a message \ x01 \ xff to the C&C server every 10 seconds.
All requests to the server hereinafter are created according to the following algorithm:
- The size of the padded data is calculated. It will be equal to the message length + 4 bytes - this value is rounded up to 16, always up. For example, 16 → 20 → 32, a 12 → 16 → 32.
- The original size is written to the first 4 bytes of the new array with the calculated size. Immediately after it, the transmitted data is copied (that is, by indentation 4). Extra bytes at the end of the array are filled with zeros. Thus, the data is packed for symmetric encryption.
- The program generates a temporary key of 16 lowercase characters in the Latin alphabet. The generation mechanism is unsafe, since it allows you to enumerate all possible options in a reasonable time. In addition, if you know the approximate time of infection, you can reduce the number of options.
- The program encrypts the generated key using an algorithm RSA_PKCS1v1.5using a cryptographically strong PRNG on the key taken from the parameters.
- The program encrypts the packed array using an algorithm AES-128in a ECBtemporary key mode.
- The software sends 4 bytes of the full packet size to the server: 256 (the size of the encrypted key) + the size of the encrypted data. If it succeeds in sending the size, then the program sequentially sends 256 bytes of the encrypted key and encrypted data.
Connecting plugins to the management server
To receive commands from the management server, the malware must enable plugins. The sequence of actions of the malware depends on the commands it receives.
If an error occurs while receiving data from the server, the program terminates the connection and waits for as long as specified in the parameters (in the example under study, this is 1 second), then tries to connect to the new server.
If the server responded with an empty message, the program will remember this. If the server responded in this way 300 times in a row, the program terminates the connection for the time specified in the parameters (in this example, it is 30 minutes), and then tries to establish the connection again.
If the size of the message from the server is greater than or equal to 256 bytes, then the program acts according to the following algorithm:
- Taidoor takes the first 256 bytes and decrypts them with the public RSA key using RSA_PKCS1v1.5. The received data is used as a symmetric key for the following data. The use of a signature in this case is meaningless, since it does not protect against control interception.
- The program uses the received key to decrypt the rest of the message with the algorithm AES-128in the mode ECB.
- The first byte of the received array contains the command destination identifier: If it is equal to 1, then the rest of the data is intended for the main module and processed in a separate function. All other values indicate this or that plugin. The program looks for it and transfers data to it. If no such plugin is found, the program does nothing.
Plugin capabilities
The integrated module MyPlugCmd is designed to start processes and send commands from the console. During startup, it is passed a parameter that can be saved to a file C: \ Windows \ win.ini.This parameter specifies a copy cmd.exe that is used to make it difficult to find the program.
The module stores several variables in its body. The most important ones are:
- <file_descriptor>;
- <file_name>;
- <alternative_path_to_cmd>;
- <shell>.
It is also worth noting that the "shell" variable stores information about the running console process, which is needed to write to the input stream of this process and receive data from the output stream.
Complete list of commands executed by the MyPlugCmd module
The integrated module MyPlugInfo can collect and send information about IP addresses and MAC addresses of network interfaces, current process ID and infection IDs to the server . He also knows how to execute command 11 from the main handler.
Commands with identifiers
Indicators of Compromise (IoC) of both variants of svchost.dll
Output
The attacker sees Taidoor as a target, a handy entry-level remote control tool with many dynamic expansion options. At the same time, the malware has a user-friendly interface to launch processes and interact with the console.
To be continued…
