CISA in coordination with security vendor Symantec discovered China-linked malware that targets secure networks of multiple governments. Symantec researchers have dubbed it Daxin malware.
Their findings suggest Chinese actors using extremely sophisticated network attack tools that can invisibly create backdoors, supposedly since 2013.
According to Symantec researchers, Daxin malware is described as “a stealthy backdoor designed for attacks on hardened networks”. They have found samples of the malware dating back to 2013, in addition to the recent version discovered with older cuts of the code. These recent versions of the malware have been associated with “China-linked threat actors”.
In an advisory, CISA mentioned the malware as “a highly sophisticated rootkit backdoor with complex, stealthy command and control functionality that enabled remote actors to communicate with secured devices not connected directly to the internet”. The agency asserts that Daxin “appears to be optimized for use against hardened targets, allowing the actors to deeply burrow into targeted networks and exfiltrate data without raising suspicions.”
According to Symantec’s analysis, the malware has been used as recently as November 2021 by attackers linked to the Middle Kingdom, and whoever wields it has targeted organizations and governments of strategic interest to China.
The researchers explained Daxin is nasty and is shipped as a Windows kernel driver and works to hijack legitimate TCP/IP connections.
The further added, “In order to do so, it monitors all incoming TCP traffic for certain patterns. Whenever any of these patterns are detected, Daxin disconnects the legitimate recipient and takes over the connection. It then performs a custom key exchange with the remote peer, where two sides follow complementary steps.”
Daxin malware opens an encrypted communication channel for receiving commands and sending responses, once the key exchange has been conducted. Daxin manages to evade the firewalls by hijacking connections.
Some of the Other Trick Daxin Malware is capable of:
- Manages to create new communications channels across multiple infected computers. This enables attackers to send a single message specifying which nodes they want to participate in this effort. Once the network self-assembles and creates encrypted links between nodes and retransmits the message ordering use of each node. According to Symantec, this design was chosen to work on well-guarded networks that force periodic reconnection.
- Daxin encapsulates raw network packets to be transmitted via the local network adapter. It then tracks network flows enabling it to capture any response packets and forward them to the remote attacker. This enabled the attackers to communicate with legitimate services that are reachable from the infected machine on the target’s network.
- Deploy additional stealthy comms components, one of which allows a remote attacker to communicate with selected components.
Symantec digging deep into Daxin, we can expect to hear a lot more about it and its Chinese connection. Though they don’t know when and where those attacks happened, or the results of any compromises.