An extremely sophisticated network attack tool has been identified that can invisibly create backdoors. This tool is believed to be associated with Chinese actors and is probably in use since 2013.
The network attack tool
The CISA and Symantec have found Daxin, the network attack tool, developed specifically for attacks on sufficiently secured networks. This allows attackers to get deeply inside the targeted networks and exfiltrate data.
It is a rootkit backdoor with complex, stealthy C2 functionality that allows remote attackers to communicate with secured devices that are not directly connected with the internet.
Researchers have found samples dating back to 2013, and the features in recent versions were found similar to older cuts of the code. Those recent versions are linked with China-linked threat actors.
The Daxin malware is capable of performing several malicious actions.
It creates a new communications channel on different infected computers. The attackers can send a single message defining which node they want to use.
The tool encapsulates raw network packets transmitted through a local network adapter. It tracks network flows to capture and forward any response packets to the remote attacker.
Further, Daxin deploys stealthy comms components, one of which allows a remote attacker to communicate with wanted components.
Communication with C2
The tool spreads under the guise of a Windows kernel driver and works to hijack legitimate TCP/IP connections.
It monitors all incoming TCP traffic for particular patterns, disconnects the genuine recipient, and takes over the connection.
It performs a custom key exchange with the remote peer, where the two sides follow supporting steps.
Subsequently, it opens an encrypted communication channel to receive commands and send responses.
Recently used in an attack
Symantec claims that the tool was last used in November 2021 by attackers associated with China. Further, the attacker targeted critical infrastructure and government entities of strategic interests to the nation.
Daxin has one of the most complex features observed in China-linked malware campaigns. There is an immediate need to adopt a dynamic approach to security, along with continuous assessment and updates in existing security measures. Organizations are suggested to make use of IOCs that may help in the detection of malicious activity.