Researchers at Symantec have released details of a new malware they discovered and named Daxin, which has links to Chinese threat actors. The malware is a Windows kernel driver that is designed to penetrate networks that have been hardened against cyber-attacks. The US Cybersecurity and Infrastructure Agency (CISA) also released details about the malware and claimed it has been used to target select governments and other critical infrastructure. Daxin is a rootkit backdoor which allows threat actors to gain root access to networks. It has a stealthy Command-and-Control (C2) function and burrows into targets’ networks and exfiltrates data without raising suspicions. The standout feature of this malware is that it does not start its own network service but instead relies on legitimate network services running on computers that are already compromised. The malware allows the attackers to communicate across a network of infected computers and picks the optimal path for communications between those computers in a single sweep. It works by hijacking the encryption key exchange process between networked computers based on incoming TCP traffic signals that indicate whether a given connection is worth targeting.
The most recent sample of Daxin was found in November 2021, but the earliest known attack took place in 2013. Multiple government entities have been targeted by this malware for espionage purposes and it appears that the most commonly targeted entities are those that would have data that China would find interesting. Routine checks on networks and systems to identify any abnormal behavior should be conducted. IOCs from Symantec can be found here: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage