Security researchers have uncovered a stealthy backdoor from a China-linked hacking group that is being used to target critical infrastructure in multiple countries.
The malware, dubbed Daxin by researchers at Broadcom-owned Symantec, is a backdoor ‘rootkit’ or malware designed to give an attacker low-level ‘root’ privilege-level access to a compromised system. It was last used in November 2021, according to Symantec.
Symantec declared in a blogpost that the Windows kernel driver malware was the “most advanced piece of malware” its researchers had seen from China-linked actors.
The malware is designed to penetrate networks that have been hardened against cyberattacks.
The US Cybersecurity and Infrastructure Agency (CISA) marked Daxin as a “high-impact” security incident based on information shared through its private sector US cybersecurity partners in the Joint Cyber Defense Collaborative.
CISA notes that Daxin has been used against select governments and other critical infrastructure targets. CISA and Symantec engaged with multiple governments targeted with Daxin malware and assisted in detection and remediation, CISA says.
Daxin is a “highly sophisticated rootkit backdoor with complex, stealthy command and control (C2) functionality”, according to CISA.
“Daxin appears to be optimized for use against hardened targets, allowing the actors to deeply burrow into targeted networks and exfiltrate data without raising suspicions,” CISA notes.
Symantec researchers believe the malware is used for espionage rather than to destroy data like the WhisperGate and HermeticWiper malware currently targeting Ukraine organizations.
“Most of the targets appear to be organizations and governments of strategic interest to China,” Symantec threat researchers said.
“Daxin is without doubt the most advanced piece of malware Symantec researchers have seen used by a China-linked actor.”
Windows kernel driver malware is rare today, according to Symantec researchers, who believe it is similar to Regin, a piece of malware its researchers were impressed by in 2014.
Daxin’s standout feature is that it doesn’t start its own network services but relies on legitimate network services running on computers it’s already compromised.
The methods are similar to “living-off-the-land” techniques that Microsoft has previously warned about in connection with malware that uses legitimate Windows services to evade detection. But rather than riding on legitimate operating-system processes, Daxin exploits legitimate secured network traffic between internal servers to infect computers and avoid detection.
The malware allows the attackers to communicate across a network of infected computers and picks the optimal path for communications between those computers in a single sweep.
It works by hijacking the encryption key exchange process between networked computers based on incoming TCP traffic signals that indicate whether a given connection is worth targeting.
TCP is one of the internet’s original protocols, designed to protect end-to-end communications between network-connected devices.
“While it is not uncommon for attackers’ communications to make multiple hops across networks in order to get around firewalls and generally avoid raising suspicions, this is usually done step-by-step, such that each hop requires a separate action,” Symantec notes.
“However, in the case of Daxin, this process is a single operation, suggesting the malware is designed for attacks on well-guarded networks, where attackers may need to periodically reconnect into compromised computers.”
Symantec notes that the attackers attempted to deploy Daxin in 2019 using a PsExec session. PSExec is a legitimate Windows tool that allows admins to remotely fix computers.
However, it adds that similarities between the code bases of Daxin and previously known malware called Zala suggest the group has been active since 2009. Daxin improves on Zala’s pre-existing networking features.