New “highly sophisticated” China-linked malware has been discovered which exhibits technical complexity previously unseen by such actors.
The malware, which was discovered by the Symantec Threat Hunter team, appears to have been used in a long-running espionage campaign against select government and other critical infrastructure targets.
The researchers have named the malware Backdoor.Daxin and have worked with the Cybersecurity and Infrastructure Security Agency (CISA) to engage with multiple foreign governments targeted with Daxin and assist them with detection and remediation of this malware.
What is Daxin?
Daxin allows attackers to perform various communications and data-gathering operations on an infected computer. The researchers said there’s strong evidence that it has been used as recently as November 2021 by attackers linked to China. Additionally, other tools associated with Chinese espionage actors were found on some of the computers where Daxin was deployed.
Symantec researchers said it is, without doubt, the most advanced piece of malware they’ve seen used by a China-linked actor. They added that Daxin appears to be optimised for use against hardened targets, allowing attackers to burrow deep into a target’s network and exfiltrate data without raising suspicions.
How does Daxin work?
Daxin comes in the form of a Windows kernel driver, which is a relatively rare format for malware nowadays. It implements advanced communications functionality, which gives it a high degree of stealth and allows attackers to communicate with infected computers on highly secured networks, where direct internet connectivity is not available. Symantec said these features are reminiscent of Regin, an advanced espionage tool it discovered in 2014 that has been linked to Western intelligence services.
Its capabilities led researchers to believe the attackers invested significant effort into developing communication techniques that can blend in unseen with normal network traffic on the target’s network. The malware avoids starting its own network services but can abuse any legitimate services already running on the infected computers.
Daxin can also relay its communications across a network of infected computers within the attacked organisation. Attackers can select an arbitrary path across infected computers and send a single command that instructs them to establish requested connectivity. It also features network tunnelling, allowing attackers to communicate with legitimate services on the victim’s network that can be reached from any infected computer.
What makes Daxin different to other malware?
Daxin allows attackers to perform operations on infected computers like reading and writing arbitrary files, as well as starting arbitrary processes and interacting with them. However, its real value, said the researchers, lies in its stealth and communications capabilities.
It can hijack legitimate TCP/IP connections by monitoring all incoming TCP traffic for certain patterns. When the patterns are detected, it disconnects the legitimate recipient and takes over the connection. It can then perform a custom key exchange with the remote peer, where two sides follow complementary steps. The malware can be both the initiator and the target of a key exchange.
A successful key exchange opens an encrypted communication channel for receiving commands and sending responses. This can help Daxin establish connectivity on networks with strict firewall rules, and may lower the risk of discovery.
Researchers said that the most interesting functionality might be its ability to create new communication channels across multiple infected computers, where the list of nodes is provided by the attacker in a single command. For each node, the message includes all the necessary details to establish communication, specifically the node IP address, its TCP port number, and the credentials for the custom key exchange.
Modernise your server infrastructure for speed and security
Infrastructure lifecycle automation paves the way for an adaptive, resilient organisation
When Daxin receives the message, it picks the next node from the list, then uses its own TCP/IP stack to connect to the TCP server listed in the selected entry. Once connected, the malware starts the initiator side protocol. If the peer computer is infected, this results in opening a new encrypted communication channel. An updated copy of the original message is then sent over to the new channel, and the process is repeated for the remaining nodes.
“While it is not uncommon for attackers’ communications to make multiple hops across networks in order to get around firewalls and generally avoid raising suspicions, this is usually done step-by-step, such that each hop requires a separate action,” wrote the researchers. “However, in the case of Daxin, this process is a single operation, suggesting the malware is designed for attacks on well-guarded networks, where attackers may need to periodically reconnect into compromised computers.”
Where was Daxin discovered?
Symantec’s team identified Daxin deployments in government organisations as well as entities in the telecommunications, transportation, and manufacturing sectors.
While the most recent attacks involving the malware was in November 2021, the earliest known sample of Daxin is from 2013 and includes the advanced features seen in the most recent variants. Symantec said this suggests the attackers were already well established by 2013.
Before developing Daxin, researchers think that the attackers were experimenting with other techniques. An older piece of malware, Backdoor.Zala or Exforel, contained a number of common features but didn’t have Daxin’s advanced capabilities. Daxin appears to build on Zala’s networking techniques, leading researchers to believe its designers had access to Zala’s codebase.
Has Daxin been linked to espionage actors?
Researchers have found several examples of attacks where tools known to be associated with Chinese espionage actors have been observed along with what appear to be variants of Daxin.
There was an attack against an IT company in November 2019, where the attackers used a single PsExec session to first attempt to deploy Daxin before resorting to Owprox. Owprox is associated with the China-linked Slug.
There was also malicious activity in May 2020 where Daxin and Owprox were seen on a single computer belonging to an unnamed technology company.
Lastly, there was also an attack against a military target in July 2020, where attackers made two unsuccessful attempts to deploy a suspicious driver. When these failed, attackers deployed a variant of Emulov instead. Symantec believes it is highly likely the attackers attempted to deploy Daxin before falling back on other malware.
