Ahmed Sonbol

Detecting Taidoor variants using Security Analytics

Discussion created by Ahmed Sonbol Employee on Feb 1, 2016
Latest reply on May 17, 2017 by Ahmed Sonbol

Taidoor is a malware family that has been used in cyber espionage campaigns since 2008. In this blog post, we will discuss how to detect its beaconing activity using RSA Security Analytics.

 

Taidoor binaries use a certain URL pattern in their communication with the C2 server. This is how the traffic looks in Security Analytics Investigator:

 

taidoor-investigator.png

 

The value of the id parameter in the querystring is always 18 characters long where the last 12 characters represent an encoded value of the victim machine MAC address. The filename; without the extension; is always 5 characters long.

 

Given the artifacts above and assuming that the appropriate meta keys are enabled, the following query can be used to detect Taidoor network activity:

               action = 'get' && extension = 'php' && query begins 'id=' && filename length 9 && query length 21

 

Scan results for a Taidoor variant can be found here.

 

All of the IOCs from those HTTP sessions were added to the following RSA FirstWatch Live feeds:

  • RSA FirstWatch APT Threat Domains
  • RSA FirstWatch APT Threat IPs

If threat.desc meta key is enabled then you can use the following app rule:

               threat.desc = 'apt-taidoor-c2'

Outcomes