Taidoor is a malware family that has been used in cyber espionage campaigns since 2008. In this blog post, we will discuss how to detect its beaconing activity using RSA Security Analytics.
Taidoor binaries use a certain URL pattern in their communication with the C2 server. This is how the traffic looks in Security Analytics Investigator:
The value of the id parameter in the querystring is always 18 characters long where the last 12 characters represent an encoded value of the victim machine MAC address. The filename; without the extension; is always 5 characters long.
Given the artifacts above and assuming that the appropriate meta keys are enabled, the following query can be used to detect Taidoor network activity: