TT Malware Log

マルウェア / サイバー攻撃 / 解析技術 に関する「個人」の調査・研究・参照ログ

Malware: Taidoor (まとめ)

【目次】

概要

【概要】

■使用開始時期

  • 2008年~

記事

【ニュース】

◆侵入を許した標的型サイバー攻撃の脅威を見つける手掛かりとは? (ITmedia, 2013/08/01 08:00)

機密情報を搾取するサイバー攻撃では脅威の侵入を防ぐ対策に重点が置かれてきたが、今では侵入していることを前提にした対策が重要だと言われる。脅威を見つけ出すための手掛かりとは何か――。

https://www.itmedia.co.jp/enterprise/articles/1308/01/news018.html
https://malware-log.hatenablog.com/entry/2013/08/01/000000_4

◆CISA, DOD, FBI expose new versions of Chinese malware strain named Taidoor (ZDNet, 2020/08/03 17:35)
[CISA、国防総省、FBIは、Taidoorという名前の中国のマルウェア株の新しいバージョンを公開します]

US government agencies say the Taidoor remote access trojan (RAT) has been used as far back as 2008.
[米政府機関によると、Taidoorリモートアクセストロイの木馬(RAT)は2008年までさかのぼって利用されているという]

https://www.zdnet.com/article/cisa-dod-fbi-expose-new-chinese-malware-strain-named-taidoor/
https://malware-log.hatenablog.com/entry/2020/08/03/000000_3

◆米セキュリティ機関、マルウェア「Taidoor」に関する詳細情報公開 中国政府が利用か (ITmedia, 2020/08/04 13:28)
https://www.itmedia.co.jp/enterprise/articles/2008/04/news083.html
https://malware-log.hatenablog.com/entry/2020/08/04/000000_2

◆米政府、中国関与「Taidoor」の新情報 - セキュ製品未検知の亜種も (Secure NEXT, 2020/08/04)
http://www.security-next.com/117203
https://malware-log.hatenablog.com/

◆米国の3政府機関、マルウェア「Taidoor」新版に関する警告を共同発表 (ZDNet, 2020/08/05)
https://japan.zdnet.com/article/35157750/
https://malware-log.hatenablog.com/entry/2020/08/05/000000_3

【ブログ】

◆Sep 28 CVE-2010-3333 Manuscript with Taidoor (Trojan.Matryoshka by CyberESI) (Contagio, 2011/10/06)
http://contagiodump.blogspot.com/2011/10/sep-28-cve-2010-3333-manuscript-with.html
https://malware-log.hatenablog.com/entry/2011/10/06/000000_1

◆Taidoor Campaign Targets Government Agencies in Taiwan (Trendmicro, 2012/08/18)
https://www.trendmicro.com/vinfo/pl/security/news/cyber-attacks/taidoor-campaign-targets-government-agencies-in-taiwan
https://malware-log.hatenablog.com/entry/2012/08/18/000000

◆この大型連休前後に法人で注意すべき標的型攻撃の特徴を解説 (Trendmicro, 2019/04/25)
https://blog.trendmicro.co.jp/archives/20970
https://malware-log.hatenablog.com/entry/2019/04/25/000000_9

【公開情報】

◆MAR-10292089-1.v1 – Chinese Remote Access Trojan: TAIDOOR (CISA, 2020/08/03)
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a
https://malware-log.hatenablog.com/entry/2020/08/03/000000_2

【IoC情報】

◆Taidoor (2011/10/06) (IoC (TT Malware Log))
https://ioc.hatenablog.com/entry/2011/10/06/000000

◆Taidoor (2012/11/12) (IoC (TT Malware Log))
https://ioc.hatenablog.com/entry/2012/11/12/000000_1

◆Taidoor (2018/10/01) (IoC (TT Malware Log))
https://ioc.hatenablog.com/entry/2018/10/01/000000_3

◆Taidoor (2020/08/03) (IoC (TT Malware Log))
https://ioc.hatenablog.com/entry/2020/08/03/000000

関連情報

【関連まとめ記事】

全体まとめ
 ◆マルウェア / Malware (まとめ)

◆標的型攻撃マルウェア (まとめ)
https://malware-log.hatenablog.com/entry/APT_Malware


【Yara Rule】

rule win_taidoor_auto {

meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2019-11-26"
version = "1"
description = "autogenerated rule brought to you by yara-signator"
tool = "yara-signator 0.1a"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.taidoor"
malpedia_version = "20190204"
malpedia_license = "CC BY-NC-SA 4.0"
malpedia_sharing = "TLP:WHITE"

/* DISCLAIMER
* The strings used in this rule have been automatically selected from the
* disassembly of memory dumps and unpacked files, using yara-signator.
* The code and documentation / approach will be published in the near future here:
* https://github.com/fxb-cocacoding/yara-signator
* As Malpedia is used as data source, please note that for a given
* number of families, only single samples are documented.
* This likely impacts the degree of generalization these rules will offer.
* Take the described generation method also into consideration when you
* apply the rules in your use cases and assign them confidence levels.
*/

strings:
$sequence_0 = { 8d4d0c c645fc02 e8???????? 6a2d 8d4d0c e8???????? 8b450c }
// n = 7, score = 300
// 8d4d0c | lea ecx, [ebp + 0xc]
// c645fc02 | mov byte ptr [ebp - 4], 2
// e8???????? |
// 6a2d | push 0x2d
// 8d4d0c | lea ecx, [ebp + 0xc]
// e8???????? |
// 8b450c | mov eax, dword ptr [ebp + 0xc]

$sequence_1 = { 46 3b70f8 7cdc 8b4d08 8d45f0 50 e8???????? }
// n = 7, score = 300
// 46 | inc esi
// 3b70f8 | cmp esi, dword ptr [eax - 8]
// 7cdc | jl 0xffffffde
// 8b4d08 | mov ecx, dword ptr [ebp + 8]
// 8d45f0 | lea eax, [ebp - 0x10]
// 50 | push eax
// e8???????? |

$sequence_2 = { 3b70f8 7cdc 8b4d08 8d45f0 50 e8???????? }
// n = 6, score = 300
// 3b70f8 | cmp esi, dword ptr [eax - 8]
// 7cdc | jl 0xffffffde
// 8b4d08 | mov ecx, dword ptr [ebp + 8]
// 8d45f0 | lea eax, [ebp - 0x10]
// 50 | push eax
// e8???????? |

$sequence_3 = { 59 8903 8b75f0 897ddc 897d0c 3bf7 }
// n = 6, score = 300
// 59 | pop ecx
// 8903 | mov dword ptr [ebx], eax
// 8b75f0 | mov esi, dword ptr [ebp - 0x10]
// 897ddc | mov dword ptr [ebp - 0x24], edi
// 897d0c | mov dword ptr [ebp + 0xc], edi
// 3bf7 | cmp esi, edi

$sequence_4 = { 0fbe01 48 48 0f8472030000 48 0f8447030000 }
// n = 6, score = 300
// 0fbe01 | movsx eax, byte ptr [ecx]
// 48 | dec eax
// 48 | dec eax
// 0f8472030000 | je 0x378
// 48 | dec eax
// 0f8447030000 | je 0x34d

$sequence_5 = { 681c404000 e8???????? a1???????? 894594 8d4594 }
// n = 5, score = 300
// 681c404000 | push 0x40401c
// e8???????? |
// a1???????? |
// 894594 | mov dword ptr [ebp - 0x6c], eax
// 8d4594 | lea eax, [ebp - 0x6c]

$sequence_6 = { 75dd 8d04f6 ffb485f4b7ffff ff7508 }
// n = 4, score = 300
// 75dd | jne 0xffffffdf
// 8d04f6 | lea eax, [esi + esi*8]
// ffb485f4b7ffff | push dword ptr [ebp + eax*4 - 0x480c]
// ff7508 | push dword ptr [ebp + 8]

$sequence_7 = { 6a04 8d45d4 51 50 e8???????? 8b45d4 83c40c }
// n = 7, score = 300
// 6a04 | push 4
// 8d45d4 | lea eax, [ebp - 0x2c]
// 51 | push ecx
// 50 | push eax
// e8???????? |
// 8b45d4 | mov eax, dword ptr [ebp - 0x2c]
// 83c40c | add esp, 0xc

$sequence_8 = { 7534 83c34c 81fb14414000 0f8c52ffffff 837dec00 751f a1???????? }
// n = 7, score = 300
// 7534 | jne 0x36
// 83c34c | add ebx, 0x4c
// 81fb14414000 | cmp ebx, 0x404114
// 0f8c52ffffff | jl 0xffffff58
// 837dec00 | cmp dword ptr [ebp - 0x14], 0
// 751f | jne 0x21
// a1???????? |

$sequence_9 = { 8d85a0fdffff 59 50 e8???????? 59 40 8d4dc4 }
// n = 7, score = 300
// 8d85a0fdffff | lea eax, [ebp - 0x260]
// 59 | pop ecx
// 50 | push eax
// e8???????? |
// 59 | pop ecx
// 40 | inc eax
// 8d4dc4 | lea ecx, [ebp - 0x3c]

condition:
7 of them
}


Copyright (C) 谷川哲司 (Tetsuji Tanigawa) 1997 - 2020