China-linked Daxin espionage tool attack governments, other critical infrastructure installations
A highly-sophisticated espionage tool named Daxin is being used by China-linked hackers against select governments and other critical infrastructure targets, according to research released by the Symantec Threat Hunter team on Monday. Affected targets of Daxin deployments have included government organizations and entities in the telecommunications, transportation, and manufacturing sectors. Several of these victims were identified with the assistance of the PwC Threat Intelligence team.
The “espionage tool is the most advanced piece of malware Symantec researchers have seen from China-linked actors,” Symantec said in a blog post on Monday. In addition, the malware tool exhibits technical complexity previously unseen by such hackers, it said.
Considering its capabilities and the nature of its deployed attacks, “Daxin appears to be optimized for use against hardened targets, allowing the attackers to burrow deep into a target’s network and exfiltrate data without raising suspicions,” the post added.
Symantec also found “several examples of attacks where tools known to be associated with Chinese espionage actors have been observed along with what we believe to be variants of Daxin.”
As part of Broadcom Software, the Symantec team detected an interesting functionality in Daxin’s ability to create a new communications channel across multiple infected computers, where the attacker in a single command provides the list of nodes. “For each node, the message includes all the details required to establish communication, specifically the node IP address, its TCP port number, and the credentials to use during custom key exchange. When Daxin receives this message, it picks the next node from the list. Then it uses its own TCP/IP stack to connect to the TCP server listed in the selected entry. Once connected, Daxin starts the initiator side protocol,” it added.
According to Symantec, if the peer computer is infected with Daxin, this results in opening a new encrypted communication channel. “An updated copy of the original message is then sent over this new channel, where the position of the next node to use is incremented. The process then repeats for the remaining nodes on the list,” it added.
There is strong evidence to suggest the malware, ‘Backdoor.Daxin,’ which allows the attacker to perform various communications and data-gathering operations on the infected computer, has been used as recently as November last year by attackers linked to China, Symantec said. Most of the targets appear to be organizations and governments of strategic interest to China. In addition, other tools associated with Chinese espionage hackers were found on some of the same computers where Daxin was deployed, it added.
While the most recent known attacks involving Daxin occurred in November, the earliest known sample of the malware dates from 2013 and included advanced features seen in the most recent variants. While, a large part of the codebase having already been fully developed, suggesting “that the attackers were already well established by 2013, with Daxin features reflecting their expertise at that time,” Symantec said.
“Daxin is a backdoor that allows the attacker to perform various operations on the infected computer such as reading and writing arbitrary files,” Symantec said. The attacker can also start arbitrary processes and interact with them. While the set of operations recognized by Daxin is quite narrow, its real value to attackers lies in its stealth and communications capabilities, it added.
“We believe that before commencing development of Daxin, the attackers were already experimenting for some time with the techniques that become part of Daxin. An older piece of malware – Backdoor.Zala (aka Exforel) – contained a number of common features but did not have many of Daxin’s advanced capabilities,” according to Symantec.
Daxin appears to build on Zala’s networking techniques, reusing a significant amount of distinctive code and even sharing certain magic constants, the company identified. “This is in addition to a certain public library used to perform hooking that is also common between some variants of Daxin and Zala. The extensive sharing indicates that Daxin designers at least had access to Zala’s codebase. We believe that both malware families were used by the same actor, which became active no later than 2009,” it added.
Daxin is capable of communicating by hijacking legitimate TCP/IP connections. In order to do so, it monitors all incoming TCP traffic for certain patterns, according to Symantec. “Whenever any of these patterns are detected, Daxin disconnects the legitimate recipient and takes over the connection. It then performs a custom key exchange with the remote peer, where two sides follow complementary steps. The malware can be both the initiator and the target of a key exchange,” it added.
Research showed that a “successful key exchange opens an encrypted communication channel for receiving commands and sending responses. Daxin’s use of hijacked TCP connections affords a high degree of stealth to its communications and helps to establish connectivity on networks with strict firewall rules. It may also lower the risk of discovery by SOC analysts monitoring for network anomalies,” it added.
U.S. security agencies released last July a joint cybersecurity advisory providing details of various Chinese state-sponsored cyber techniques used to target U.S. and allied networks. The administration provided information on an alleged Chinese advanced persistent threat (APT) group known in open-source reporting as APT40.
Last week, a group of Iranian government-sponsored APT hackers, known as ‘MuddyWater malware,’ have targeted a range of government and private-sector organizations across various sectors, including telecommunications, defense, local government, and oil and natural gas, across Asia, Africa, Europe, and North America, according to alert issued by the U.S. and U.K. security agencies.
Related
