<— Back

Taohuawu, A much more sophisticated evolution from WHQL signed NetFilter rootkit

COVID changed our life in many perspectives, some bad, some good, there are significant increase in online gaming market since start of COVID. Taohuawu is a rootkit targeting unofficial online game players, mainly Chinese speaking users. It’s designed to monitor web browsers, redirect network traffic, install trusted root certificate to degrade system and network security, download and run shellcode and additional payload. Rootkit driver components usually designed to hide, to protect, to monitor, are commonly seen have limited but core functions implemented in driver file, and therefore have a considerably small file size.

Taohuawu, a game changer which implement most of its functions in kernel driver, has a significant increase in file size, from KBs to MBs, and the customized file protector it used make it even harder to analyse. In additional to various self-protection mechanism, Taohuawu consist at least 7 stage payloads and keep them updated since mid or late 2021. Furthermore, an undocumented method is discovered in recent variants to hack into kernel to install and load its driver.

This paper presents a detailed analysis of Taohuawu rootkit and discusses potential people/group behind this campaign.

Robert Xiang Wang

Robert is a security professional with 20 years experience, specialised in malware reverse engineering and analysis. He works as a Principal Threat Analysis Engineer for NortonLifeLock in Dublin, Ireland.

Imran Khan

Imran is a Sr Manager of Protection Labs and has more than a decade of experience in the security industry. He has an extensive background in threat research and intelligence, security operations, and security engineering