Daxin Espionage Backdoor Ups the Ante on Chinese Malware

Via node-hopping, the espionage tool can reach computers that aren’t even connected to the internet.

The Daxin malware is taking aim at hardened government networks around the world, according to researchers, with the goal of cyberespionage.

The Symantec Threat Hunter team noticed the advanced persistent threat (APT) weapon in action in November, noting that it’s “the most advanced piece of malware Symantec researchers have seen from China-linked actors…exhibiting technical complexity previously unseen by such actors.”

They added that Daxin’s specific scope of operations includes reading and writing arbitrary files; starting and interacting with arbitrary processes; and advanced lateral movement and stealth capabilities.

Infosec Insiders Newsletter

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also flagged the activity, which Symantec characterized as “long-running.” The earliest known sample of the malware dates from 2013, when it already had a large part of the codebase fully developed.

“Daxin malware is a highly sophisticated rootkit backdoor with complex, stealthy command-and-control (C2) functionality that enabled remote actors to communicate with secured devices not connected directly to the internet,” warned CISA, in a Monday alert. “Daxin appears to be optimized for use against hardened targets, allowing the actors to deeply burrow into targeted networks and exfiltrate data without raising suspicions.”

Built for Stealth

From a technical standpoint, Daxin takes the form of a Windows kernel driver, according to Symantec’s Monday analysis, and has a focus on stealth.

“Daxin’s capabilities suggest the attackers invested significant effort into developing communication techniques that can blend in unseen with normal network traffic on the target’s network,” the firm found. “Specifically, the malware avoids starting its own network services. Instead, it can abuse any legitimate services already running on the infected computers.”

It communicates with legitimate services via network tunneling, they added – and further, it can set up daisy-chain communications, researchers added to move internally via hops between several linked computers.

“Daxin is also capable of relaying its communications across a network of infected computers within the attacked organization,” they said. “The attackers can select an arbitrary path across infected computers and send a single command that instructs these computers to establish requested connectivity. This use case has been optimized by Daxin’s designers.”

Daxin also can hijack legitimate TCP/IP connections. According to Symantec, it monitors all incoming TCP traffic for certain patterns, and when a preferred pattern is detected, it disconnects the legitimate recipient and takes over the connection.

“It then performs a custom key exchange with the remote peer, where two sides follow complementary steps. The malware can be both the initiator and the target of a key exchange,” according to the analysis. “A successful key exchange opens an encrypted communication channel for receiving commands and sending responses. Daxin’s use of hijacked TCP connections affords a high degree of stealth to its communications and helps to establish connectivity on networks with strict firewall rules. It may also lower the risk of discovery by SOC analysts monitoring for network anomalies.”

When all of this is put together, the result is that a single command message that includes all the details required to establish communication, specifically the node IP address, its TCP port number and the credentials to use during custom key exchange. When Daxin receives this message, it picks the next node from the list.

The research team linked Daxin to Chinese actors because it’s usually deployed alongside tools known to be associated with Chinese espionage actors.

“Most of the targets appear to be organizations and governments of strategic interest to China,” they added. “Daxin is without doubt the most advanced piece of malware Symantec researchers have seen used by a China-linked actor.”

Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.

Suggested articles