Chinese cyberspies target governments with their “most advanced” backdoor.
A distinguishing feature of Daxin is its form, which is a Windows kernel driver, an untypical choice in the malware landscape. Its camouflage relies on its advanced communication skills, combining its data exchange with regular internet traffic.
“Daxin is without a doubt the most advanced malware Symantec researchers have seen from a China-linked player,” Symantec said in a new report.
“Considering its capabilities and the nature of the attacks it uses, Daxin appears optimized for use against hardened targets, allowing attackers to penetrate deep into a target’s network and exfiltrate data without raising suspicion.”
Hide in legitimate network traffic
Backdoors give attackers remote access to a compromised computer system, allowing them to steal data, run commands, or download and install additional malware.
Because these tools are typically used to steal information from secure networks or further compromise a device, they must include some form of encryption or obfuscation of data transmission to bypass warnings from network traffic monitoring tools.
Daxin does this by monitoring network traffic on a device for specific models. Once these patterns are detected, it hijacks the legitimate TCP connection and uses it to communicate with the command and control server.
By hijacking TCP communications, Daxin malware can hide malicious communications in what it perceives to be legitimate traffic, thereby remaining undetected.
“Daxin’s use of hijacked TCP connections provides a high level of secrecy for its communications and helps establish connectivity in networks with strict firewall rules. It can also reduce the risk of detection by SOC analysts monitoring network anomalies,” explains the Symantec Report.
This essentially opens up an encrypted communication channel for data to be transmitted or stolen, all through a seemingly harmless TCP tunnel.
“Daxin’s built-in functionality can be extended by deploying add-ons on the infected computer. Daxin provides a dedicated communication mechanism for these components by implementing a device called \\.\Tcp4,” Symantec explained.
“Malicious components can open this device to register for communication. Each of the components can map a 32-bit service ID to the open \\.\Tcp4 handle. The remote attacker can then communicate with selected components by specifying an appropriate service identified when sending messages of a specific type.
Daxin is also notable for its ability to set up complicated communication paths between multiple infected computers simultaneously, using a single command for a number of nodes.