Cybersecurity vendor Symantec and the United States’ Cybersecurity and Infrastructure Security Agency (CISA) have discovered a network attack tool capable of invisibly creating backdoors and has been linked to Chinese threat actors. The tool may have been in circulation since 2013.
Symantec’s Threat Hunter team named the malware Daxin says it’s designed to breach hardened networks. The report describes malware samples dating back to 2013, and the features present in these older samples were also present in the newer, more recent versions. It’s these recent versions that have been linked with Chinese threat actors.
The CISA, in its advisory, has warned of the same, stating that the malware is optimised for use against hardened targets and extracting information without raising suspicions.
In the News: Lenovo’s first ARM-based ThinkPad X13S features Snapdragon 8cx Gen 3
New state-sponsored malware on the block?
Symantec’s Threat Hunter team has found that the malware was used as recently as November 2021, once again by attackers linked to China. This is further consolidated by the fact that most of the targets are organisations and governments of strategic interest to China and the presence of other Chinses espionage tools present on some of Daxin’s targets.
The malware avoids firewall detection by hijacking legitimate TCP/IP connections. Symantec ships as a Windows kernel driver and monitors all incoming TCP/IP traffic for specific patterns. Once a pattern is detected, Daxin takes over the connection and then performs a custom key exchange with the remote peer.
Once the key exchange is complete, Daxin can open an encrypted communication channel to receive further commands and send responses. And that’s not all; Daxin also has the following capabilities.
- Creating a new communications channel across multiple infected computers. This lets the attacker specifiy a target machine on the network with a single message.
- it can encapsulate raw network packets to be trasnmitted via the local network adaptor and then tracks network flow so that any response packets are captured and forwarded to the attacker.
- Deploy additional communication components allowing remote attacks to communicate with selected components at once.
Symantec has called Daxin “the most advanced piece of malware Symantec researchers have seen used by a China-linked actor” and has promised more information and deeper technical analysis in future reports.
In the News: Lenovo announces massive lineup refresh at MWC 2022