Taidoor: multi-tool for hacker

Taidoor is a highly effective RAT (remote access trojan) -class malware designed to be used without sticking to the system. The modular system implemented in Taidoor differs from many other RATs in flexibility: program operators can send to the infected system only those modules that are needed to achieve the goals of a particular attack.

To make detection more difficult, Taidoor uses several different methods: manipulating timestamps, deleting files with modules, obfuscating strings, searching for antivirus on the attacked machine, etc.

We have studied the functionality and algorithms of Taidoor, as well as its downloaders, and we want to share our observations.

The source of information about the infected system, including file names, is the US Cyber and Infrastructure Security Agency (CISA) report number AR20-216A .

Taidoor in the attacker's arsenal

From an attacker's point of view, Taidoor is a decent basic remote control tool with many dynamic extensibility options. In addition, the malware has a fairly convenient interface for launching processes and interacting with the console.

Two built-in modules allow collecting information about the infected system. Additional modules can be sent from the management server as needed.

When communicating with the management server, Taidoor uses a crypto-envelope RSA+ AESto ensure confidentiality. However, cryptography in the program is poorly implemented: when intercepting traffic, you can substitute commands from the server. Also, when this algorithm is used, a vulnerability may appear on the server, which allows decrypting the data sent to the server, which it was able to access.

Taidoor Downloaders

Taidoor main body loaders are files rasautoex.dlland ml.dll, identical in functionality. They differ only in bit depth: the first is a 64-bit version of malware, the second is a 32-bit version. Their properties are presented in table. one.

1. Properties of Taidoor loaders

Properties64-bit version32-bit versionFile namerasautoex.dllml.dllFile typePE32+ Executable (DLL)PE32 Executable (DLL)HPE classLoaderLoaderMD54ec8e16d426a4aaa57c454c58f447c1e6aa08fed32263c052006d977a124ed7bSHA-15c89629e5873072a9ca3956b67cf7b5080312c809a6795333e3352b56a8fd506e463ef634b7636d2SHA-2566e6d3a831c03b09d9e4a54859329fbfd428083f8f5bc5f27abbfdd9c47ec0e574a0688baf9661d3737ee82f8992a0a665732c91704f28688f643115648c107d4Size (bytes)5017643520

Below we will share the results of the study of the 64-bit version.

Bootloader functionality

The file is rasautoex.dlldesigned to load the main body of Taidoor into the system memory. It can be started by calling the exported function, MyStartor it can be registered as a service - this is evidenced by the exported function ServiceMain.

System behavior

At startup, the loader searches in the same directory in which it is located for a file svchost.dll- the encrypted main body of Taidoor. Having found the required file, the loader performs the following actions:

1. Loads the contents of a file into memory.
2. Decrypts the file using the RC4 algorithm on a key ar1z7d6556sAyAXtUQc2. In decrypted form, it svchost.dllis a 64-bit library. In the case of a 32-bit loader ( ml.dll), the library with the Taidoor body is, accordingly, 32-bit.
3. Maps the library in memory.
4. Finds and fills in the addresses of all imported functions.
5. Finds the address of the function exported from the library Start. If such a function is found, calls it.

Indicator of Compromise (IoC)

Taidoor main body

The main encrypted body of Taidoor is presented in the form of one of the files svchost.dll, which differ in bitness. Their properties are described in table. 2.

 2. File properties of the main body of Taidoor

Properties64-bit version32-bit versionFile namesvchost.dllsvchost.dllFile typeEncrypted PE32 + Executable (DLL)Encrypted PE32 Executable (DLL)HPE classRemote Access TrojanRemote Access TrojanMD56627918d989bd7d15ef0724362b67edd8cf683b7d181591b91e145985f32664cSHA-121e29034538bb4e3bc922149ef4312b90b6b4ea3f0a20aaf4d2598be043469b69075c00236b7a89aSHA-2560d0ccfe7cd476e2e2498b854cef2e6f959df817e52924b3a8bcdae7a8faaa686363ea096a3f6d06d56dc97ff1618607d462f366139df70c88310bbf77b9f9f90Size (bytes)183,808158208C2www[.]infonew[.]dubya[.]net:443? 210.68.69.82:443

?www[.]cnaweb[.]mrslove[.]com:443

The file with the MD5 hash ending in 7eddis encrypted for the 64-bit version of the program. In a file with an MD5 hash ending in 2664c- 32-bit. The files are almost identical, but they contain different addresses of the management servers.

Further on, we will focus on the study of the 64-bit version.

General characteristics of the studied Taidoor sample

The sample studied is an encrypted malicious library that is launched by a separate program described above.

When launched using rundll32Taidoor, it checks for encrypted settings saved outside the body of the program in the RValueregistry key parameter SOFTWARE\Microsoft\Windows NT\CurrentVersion. If they are absent or in another type of launch, the program uses the standard settings saved in its body.

Taidoor further decrypts the settings, which include the following data:

• management server addresses (domains or IP addresses and ports);
• proxy server address (optional);
• waiting settings (time to reconnect to the server in different situations);
• public RSA key of the server.

If a proxy is specified, the program tries to connect to the management server through it. When connected, Taidoor sends one RSA-encrypted packet with an identifier and waits for a response from the server. If the attempt is successful, the program creates a file %ALLUSERSPROFILE%\\Application Data\\Microsoft\\~svc_.TMp- most likely, this is an indicator of a successful infection, which prevents Taidoor from being downloaded again.

During the main loop, the program initializes two plugins: one for collecting information about the system, the other for creating processes and working with the command line.

After that, the program starts a tapping cycle in a separate thread, in which it contacts the C&C server every 10 seconds. In the main thread, the program begins a cycle of receiving commands from the server. When sending messages to the server, a cryptoconvert RSA+ is used AES. A separate key is generated for each message AES.

Here are the actions an attacker can perform on an infected system using Taidoor in its basic configuration (the main module and two built-in plugins):

• save files to disk,
• change the settings for connecting to the management server,
• load new modules,
• replace timestamps for files,
• start processes and receive their results,
• interact with the command line.

Each Taidoor plugin has its own identifier, which is indicated at the beginning of each message on both sides. This allows the program operator to address commands to a specific plugin and distinguish message sources from the program (main module and specific plugins). The following identifiers are used by default:

• 1 - main module;
• 2 - plugin for starting processes and working with the command line;
• 3 - plugin for more information about the system.

Taidoor loads external plugins in the form of dynamic libraries on command from the management server. Each plugin has three exported functions:

• Install - initialization of the plugin and return of the plugin identifier;
• Proxy - sending a message from the server to the plugin;
• Uninstall - plugin deinitialization.

Taidoor employs all sorts of techniques to make it difficult to detect and investigate an attack:

• A copy can be used instead of the original file cmd.exe.
• The timestamps of the infection indicator %ALLUSERSPROFILE%\\Application Data\\Microsoft\\~svc_.TMpare replaced with the timestamps of the system file C:\Windows\System32\services.exe, which makes it difficult to determine the date of infection.
• The loaded plugin files are deleted after launch.
• Before the start of the processes, the plugin checks if the attacked machine has Kaspersky antivirus.

Initializing Taidoor

The module must be decrypted before use - this is done by the specialized loader described above. Execution of the sample itself begins with a call to the exported function Start.

At the beginning of the process, a mechanism is used to discourage manual debugging, during which the program:

1. counts how many seconds in time from 0 to 60 should be in 10 seconds;
2. starts a loop, waits 10 seconds at each iteration until it gets the expected value.

With manual debugging, it waitcan take more than a second from calculating the expected value to calling the function , causing the loop to crash and run forever.

Once launched, Taidoor prevents manual debugging with a primitive function.

Further, the program itself imports all the necessary functions with the exception of LoadLibraryand GetProcAddress.

Taidoor calls a few more harmless and meaningless functions (Figure 1), most likely to defend against detection.

"

Fig. 1. An example of a useless function used by Taidoor

After that, the malware launches the main functionality in a new thread. Most of the malware strings (for example, the names of imported functions) are obfuscated using a non-standard stream cipher to make detection more difficult. The strings are deobfuscated right before they are used.

Connecting to the management server

At the beginning of the main loop, Taidoor checks the name of the application with which the malware was launched to determine the source of the parameters for connecting to the command and control server:

• If the standard utility was used rundll32.exe, the program tries to load the parameters of the connection to the server from the parameter RValueof the registry key SOFTWARE\Microsoft\Windows NT\CurrentVersion.
• If the library was started in another way or the parameter RValuedoes not exist, the settings are taken from the Taidoor body.

The settings obtained in one way or another are decrypted by the algorithm AESin the ECBkey mode 2B7E151628AED2A6ABF7158809CF4F3C(represented in hexadecimal form).

Taidoor then tries to connect to the management server. The connection parameters obtained earlier can contain up to 4 server addresses and up to 3 ports per server. The address and port of the HTTP proxy server can also be specified. The studied sample specified one management server and one port, while the 32-bit version specified two management servers and one port for each.

The connection takes place according to the following algorithm:

1. The program takes the address and port from the configuration. If the configuration contains proxy server parameters, the program tries to connect to it.
2. The program connects to the management server or issues the appropriate command to the proxy server (if there are proxy parameters and a successful connection to it).
3. The program sends an array of 263 characters to the C&C server, where:

• the first 3 characters are a fixed string F::;
• the next 4 are the number of milliseconds that elapsed between the start of the system and the start of the program;
• the remaining 256 are a string 0x040x230x190x340xfe0xc1encrypted using an algorithm RSA_PKCS1v1.5using a cryptographically strong pseudo-random number generator (PRNG).

1. In response, the program expects a line 200 OK\r\n\r\n:

• If the program receives such a response, the phase of connecting to the server ends.
• If the program does not receive the expected response, then it tries to connect to the next server specified in the parameters. If it fails to connect to any of them, the program sleeps for the specified time period (in this sample - 30 minutes), then repeats the cycle described above.

Working with timestamps

Before connecting to the management server, Taidoor opens the system event log and starts reading the records one by one. In this case, the program pays special attention to the records of the types 6005("Start of the event log service") and 6006("End of the event log service") - they can be used to determine the time that the machine has been up and running. In the considered instance, a pass through this data is implemented, but the program does not use them.

After connecting to the server, the program creates a file %ALLUSERSPROFILE%\\Application Data\\Microsoft\\~svc_.TMpand also updates its timestamps. Then the program checks the file C:\Windows\win.inifor the presence of a section Microswith a key source. If the key is present, the utility is cmd.execopied to the address specified in the key (the address is indicated in the CISA report c:\temp\cmd.exe).

Functionality of the main module

If the first byte of the decrypted buffer from the server contains 1, the rest of the buffer is processed by Taidoor itself. Individual commands can set or use global variables. Here are the most important ones:

• <file_name>; <file_descriptor>; <identifier>; <global_array>; <additional_file_name>; <additional_file_descriptor>.

The first byte of the remainder of the buffer that is sent for processing identifies one of the commands. Teams can manipulate the connection of malware to the server, update its settings, load and unload plugins, and perform other malicious actions.

A complete list of commands can be found here. Note that not all IDs have commands.

Plugin initialization

Taidoor initializes two built-in plugins:

• MyPlugCmd - for executing commands on the machine. The path where the copy is located is passed as one of the arguments during initialization cmd.exe. If the required key is win.ininot found in or the copying fails, an empty string is passed.
• MyPlugInfo - to get basic information about the infected machine.

This is how the process of loading a new plug-in looks like (the function is shown in Fig. 3):

1. The library is loaded into memory.
2. The program checks the plugin for the presence of the following exported functions:

• Install,
• Uninstall,
• Proxy.

1. The program calls the function Install, transfers information about the connection to the control server to it. The Installvalue obtained from is set as the identifier .
2. After initialization, the module is added to the plugins array, and if the file name matches the schema uaq*.dll, the file is removed.

Each module can be deinitialized to make room for another.

When receiving a command from the management server, Taidoor checks the first byte that indicates the destination: the command can be intended either for the main module or for one of the plugins. If a command is to be passed to a plugin, the rest of the message is passed to the plugin function Proxy.

After activating the plugins, Taidoor in a separate thread starts the function of periodic access to the server. In this function, the program sends a message to the C&C server every 10 seconds \x01\xff.

All calls to the server here and below are created according to the following algorithm:

1. The size of the padded data is calculated. It will be equal to the message length + 4 bytes - this value is rounded up to 16, always up. For example, 16 → 20 → 32, a 12 → 16 → 32.
2. The original size is written to the first 4 bytes of the new array with the calculated size. Immediately after it, the transmitted data is copied (i.e., by indentation 4). Extra bytes at the end of the array are filled with zeros. Thus, the data is packed for symmetric encryption.
3. The program generates a temporary key of 16 lowercase characters in the Latin alphabet. The generation mechanism is unsafe, since it allows you to enumerate all possible options in a reasonable time. In addition, if you know the approximate time of infection, you can reduce the number of options.
4. The program encrypts the generated key using an algorithm RSA_PKCS1v1.5using a cryptographically strong PRNG on the key taken from the parameters.
5. The program encrypts the packed array using an algorithm AES-128in a ECBtemporary key mode .
6. The program sends to the server 4 bytes of the total packet size: 256 (encrypted key size) + encrypted data size. If it succeeds in sending the size, then the program sequentially sends 256 bytes of the encrypted key and encrypted data.

Communication of plugins with the management server

By enabling plugins, the malware starts receiving commands from the control server. Further actions of the malware depend on the commands.

If an error occurs while receiving data from the server, the program terminates the connection and waits for as long as specified in the parameters (in the studied sample it is 1 second), and then tries to connect to the server again.

If the server responded with an empty message, the program remembers this. If the server responded like this 300 times in a row, the program terminates the connection and for as long as specified in the parameters (in the studied sample it is 30 minutes), and then tries to connect again.

If the size of the message from the server is greater than or equal to 256 bytes, then the program acts according to the following algorithm:

1. Taidoor takes the first 256 bytes and decrypts them with the public RSA key using RSA_PKCS1v1.5. The received data is used as a symmetric key for the following data. The use of a signature in this case is meaningless, since it does not protect against control interception.
2. The program uses the received key to decrypt the rest of the message with the algorithm AES-128in the mode ECB.
3. The first byte of the received array contains the identifier of the command addressee:

• If it is equal to 1, then the rest of the data is intended for the main module and is processed in a separate function.
• All other values represent a particular plugin. The program looks for it and transfers data to it. If no such plugin is found, the program does nothing.

Plugin functionality

The built-in module MyPlugCmd is designed to start processes and send console commands. During initialization, it is passed a parameter that can be saved in a file C:\Windows\win.ini. This parameter points to the copy cmd.exethat is used to make the program more difficult to detect.

The module stores several variables in its body. The most important ones are:

• <file_descriptor>; <file_name>; <alternative_path_to_cmd>; <shell>.

It is worth noting that the <shell> variable stores information about the running console process, which is needed to write to the input stream of this process and receive data from the output stream.

A complete list of commands executed by the MyPlugCmd module can be found here.

The built-in MyPlugInfo module can collect and send information about IP addresses and MAC addresses of network interfaces, the identifier of the current process, and infection identifiers to the server. He also knows how to execute command 11 of the main handler.