Skip to content

S0011 Taidoor

Taidoor is a remote access trojan (RAT) that has been used by Chinese government cyber actors to maintain access on victim networks.1 Taidoor has primarily been used against Taiwanese government organizations since at least 2010.2

Item Value
ID S0011
Associated Names
Type MALWARE
Version 2.0
Created 31 May 2017
Last Modified 15 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Taidoor has used HTTP GET and POST requests for C2.2
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Taidoor has modified the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key for persistence.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Taidoor can copy cmd.exe into the system temp folder.1
enterprise T1005 Data from Local System Taidoor can upload data and files from a victim’s machine.2
enterprise T1140 Deobfuscate/Decode Files or Information Taidoor can use a stream cipher to decrypt stings used by the malware.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Taidoor uses RC4 to encrypt the message body of HTTP content.21
enterprise T1083 File and Directory Discovery Taidoor can search for specific files.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Taidoor can use DeleteFileA to remove files from infected hosts.1
enterprise T1105 Ingress Tool Transfer Taidoor has downloaded additional files onto a compromised host.2
enterprise T1112 Modify Registry Taidoor has the ability to modify the Registry on compromised hosts using RegDeleteValueA and RegCreateKeyExA.1
enterprise T1106 Native API Taidoor has the ability to use native APIs for execution including GetProcessHeap, GetProcAddress, and LoadLibrary.21
enterprise T1095 Non-Application Layer Protocol Taidoor can use TCP for C2 communications.1
enterprise T1027 Obfuscated Files or Information Taidoor can use encrypted string blocks for obfuscation.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Taidoor has been delivered through spearphishing emails.2
enterprise T1057 Process Discovery Taidoor can use GetCurrentProcessId for process discovery.1
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection Taidoor can perform DLL loading.21
enterprise T1012 Query Registry Taidoor can query the Registry on compromised hosts using RegQueryValueExA.1
enterprise T1016 System Network Configuration Discovery Taidoor has collected the MAC address of a compromised host; it can also use GetAdaptersInfo to identify network adapters.21
enterprise T1124 System Time Discovery Taidoor can use GetLocalTime and GetSystemTime to collect system time.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Taidoor has relied upon a victim to click on a malicious email attachment.2

References

  1. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021. 

  2. Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014.