Another year and the same type of malware. The continuation from a history of Remote Access Trojans since 2008 from the same place.

Digital Immunity Threat Researchers have reviewed TAIDOOR and have assessed how TAIDOOR would get into an environment and be executed. Digital Immunity DI PROTECT™ will detect and prevent, in memory, at run-time, the execution of the untrusted code known as TAIDOOR as well as detect and prevent the execution of untrusted foreign code which enabled hackers’ access to the environment to launch TAIDOOR.

TAIDOOR Remote Access Trojan (RAT)

The TAIDOOR Remote Access Trojan Malicious binaries identified as a x86 and x64 version of TAIDOOR were submitted for analysis. TAIDOOR is installed on a target’s system as a service dynamic link library (DLL) and is comprised of two files. The first file is a loader, which is started as a service. The loader decrypts the second file, and executes it in memory, which is the main Remote Access Trojan (RAT).

Where Digital Immunity Intercepts

Digital Immunity DI PROTECT™ intercepts at the point where untrusted code is executed to be loaded into memory. This file is a 32-bit Windows DLL file. The file “ml.dll” is a TAIDOOR loader. The file utilizes the export function called “MyStart” to decrypt and load “svchost.dll” which was identified as TAIDOOR malware. TAIDOOR is a traditional RAT.

The “MyStart” function looks for the file name “svchost.dll” in its running directory. If that file is located, the DLL will read “svchost.dll” into memory. After the file is read into memory, the DLL uses a RC4 encryption algorithm to decrypt the contents of the file.

After the loader has finished decrypting “svchost.dll”, the loader now has a decrypted version of TAIDOOR, which is a DLL. The loader then uses the API calls GetProcessHeap, GetProcAddress, and LoadLibrary to load the following DLLs, KERNEL32.dll, ADVAPI32.dll, and WS2_32.dll, which TAIDOOR will utilize.

Next, the loader looks for the export “Start” in the TAIDOOR DLL and executes that function.

Digital Immunity DI PROTECT™

Long Term Goals

Digital Immunity DI PROTECT™ will detect and prevent, in memory, at run-time, the execution of foreign code such as TAIDOOR. Digital Immunity’s prevention capability will not disrupt good processes, ensuring that operations continue uninterrupted.  DI PROTECT™ also capture’s deep forensics, in context, at the point of attack.

In the long-term you should assess how a technology such as DI PROTECT™ could prevent cyber-threats like the Remote Access Trojan TAIDOOR. Having a technology such as DI PROTECT™ to prevent known and unknown threats in OT can provide priceless peace of mind. DI PROTECT™ also delivers the added benefits of reduced down time, reduced emergency patching and increased uptime and revenue.

Want to give Digital Immunity a try?
Click here for more information and to request a software demo.