China-linked group uses new Daxin backdoor

Researchers have discovered a new, highly sophisticated and multifunctional backdoor used by a Chinese threat actor to target government agencies and critical infrastructure organizations in countries.

The malware is known as Daxin and the first samples date back to 2013, although researchers at Symantec said it was used as recently as November. Daxin has a long list of features, some of which are standard fare for modern backdoors, but it also has an unusual communication system that allows remote attackers to use multiple infected machines on a network to hide traffic. The malware appears to be specifically designed for use against well-defended networks and shares some common characteristics and functionality with another malware, known as Zala or Exforel.

“Daxin seems to build on Zala’s networking techniques, reusing a significant amount of distinctive code and even sharing some magic constants. This is in addition to some public library used to perform hitches that are also common between some Daxin and Zala variants. The extended sharing indicates that the designers of Daxin at least had access to the Zala code base. We believe both families of malware were used by the same actor, which became active no later than 2009,” Symantec researchers said in a new analysis released Monday.

The Daxin backdoor has been used against several types of targets, including military organizations, government agencies, critical infrastructure operators and others. Symantec’s Threat Hunter team did not specifically assign Daxin to any known group, but said Daxin has been used with Owprox malware, which is related to the OwlProxy APT group. The researchers described Daxin as “undoubtedly the most advanced malware” used by a Chinese threat group.

“Given its capabilities and the nature of its deployed attacks, Daxin appears to be optimized for use against hardened targets, allowing attackers to dig deep into a target’s network and exfiltrate data without arousing suspicion. “, said the researchers.

Among the unusual aspects of Daxin is the fact that it takes the form of a Windows kernel driver and uses a strange communication protocol. The protocol appears to be designed to prevent detection and provide persistent communication with infected machines.

“Perhaps the most interesting feature is the possibility of creating a new communication channel on several infected computers, where the list of nodes is provided by the attacker in a single command. For each node, the message includes all the details needed to establish communication, including the node’s IP address, its TCP port number, and credentials to use when exchanging custom keys,” said Researchers.

“When Daxin receives this message, it selects the next node in the list. It then uses its own TCP/IP stack to connect to the TCP server listed in the selected entry. Once connected, Daxin starts the protocol on the initiator side. If the peer computer is infected with Daxin, this leads to the opening of a new encrypted communication channel. An updated copy of the original message is then sent on this new channel, where the position of the next node to be used is incremented. The process then repeats for the remaining nodes in the list. »

Like many malicious tools used by high-profile actors, Daxin is not widely distributed, but is instead used in targeted attacks against carefully selected organizations. Symantec researchers are still analyzing Daxin and plan to release more details in the coming weeks.

Comments are closed.