<— Back

Taohuawu, A much more sophisticated evolution from WHQL signed NetFilter rootkit

COVID changed our life in many perspectives, some bad, some good, there are significant increase in online gaming market since start of COVID. Taohuawu is a rootkit targeting unofficial online game players, mainly Chinese speaking users. It’s designed to monitor web browsers, redirect network traffic, install trusted root certificate to degrade system and network security, download and run shellcode and additional payload. Rootkit driver components usually designed to hide, to protect, to monitor, are commonly seen have limited but core functions implemented in driver file, and therefore have a considerably small file size.

Taohuawu, a game changer which implement most of its functions in kernel driver, has a significant increase in file size, from KBs to MBs, and the customized file protector it used make it even harder to analyse. In additional to various self-protection mechanism, Taohuawu consist at least 7 stage payloads and keep them updated since mid or late 2021. Furthermore, an undocumented method is discovered in recent variants to hack into kernel to install and load its driver.

This paper presents a detailed analysis of Taohuawu rootkit and discusses potential people/group behind this campaign.