As if Russian cyber threats weren’t enough, this week opened with a reminder that we can’t turn our backs on the danger from Chinese hackers. Threat hunting researchers raised the global alarm Monday on a highly sophisticated piece of malware being used by China-linked threat actors.
The malware, known as Daxin, appears to be part of a long-running espionage campaign against select governments and critical infrastructure targets. The team at Symantec cautioned that it features “technical complexity previously unseen by such actors” and “appears to be optimized for use against hardened targets, allowing the attackers to burrow deep into a target’s network and exfiltrate data without raising suspicions.” [i]
Alarmingly, though the most recent known attacks involving Daxin happened in November 2021, the public report notes “the earliest known sample of the malware dates from 2013 and included all of the advanced features seen in the most recent variants.” While most targets to date have been “organizations and governments of strategic interest to China,” the existence of a backdoor that can lurk undetected in your network should set off alarms for anyone with responsibility for sensitive data.
Why You Should Worry
Daxin is clearly designed for stealth. It takes the form of a Windows kernel driver (pretty rare for malware these days) and uses advanced communications functionality to let attackers communicate with infected computers on highly secured networks. To blend in with normal network traffic and avoid detection, the malware avoids starting its own network services, instead abusing legitimate services that are already running on infected computers.
Daxin can also relay communications across a network of infected computers within an organization; according to the researchers, “attackers can select an arbitrary path across infected computers and send a single command that instructs these computers to establish requested connectivity.” Finally, the malware uses network tunneling to let the attackers communicate with legitimate services on the attacked network that can be reached from any infected computer.
What does this mean? Once in, a hacker using Daxin can read and write files on an infected computer, as well as starting processes and interacting with them. The real value to a malicious actor is in Daxin’s stealth and communications abilities, making it much more likely they could hijack data undetected for weeks, months, or even longer if it’s not discovered and rooted out.
Daxin works by taking over legitimate TCP/IP connections. That matters because instead of creating unusual traffic that’s easy to distinguish from what you’d normally expect from your network, it camouflages its activity behind patterns that look normal. The researchers warn “Daxin’s use of hijacked TCP connections affords a high degree of stealth to its communications and helps to establish connectivity on networks with strict firewall rules. It may also lower the risk of discovery by SOC analysts monitoring for network anomalies.”
Know Your Foe
Victims of Daxin identified by researchers include government organizations as well as entities in the telecommunications, manufacturing, and transportation sectors. Their work established multiple research links to known Chinese espionage actors, giving confidence to their identification of the source of the threat. The researchers also released indicators of compromise (IOCs) that can help detect when Daxin has infiltrated a system.
As with other emerging detections of cybersecurity threats, our SOC team at Petronella began working immediately to incorporate what is known and being discovered about Daxin into our security protocols. We use AI-driven, proactive tools to dive deep into your network data, hunting even the most elusive patterns and signs of malware, hints that can escape manual cybersecurity efforts to them track down. We stay connected with threat detection teams worldwide to add detections and mitigations to our arsenal so we can keep you a step ahead of danger.
Your Cybersecurity Experts
Does the idea of your business being the next victim of the latest malware in the headlines break you out in cold sweat? Don’t worry—call Petronella Technology Group (PTG). We’ve got the expertise to find and eradicate malware before it can damage your systems and your reputation. To schedule a FREE consultation now, contact us here.
[i] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage