Researchers at Symantec have released details of a new malware they discovered and named Daxin, which has links to Chinese threat actors. The malware is a Windows kernel driver that is designed to penetrate networks that have been hardened against cyber-attacks. The US Cybersecurity and Infrastructure Agency (CISA) also released details about the malware and claimed it has been used to target select governments and other critical infrastructure. Daxin is a rootkit backdoor which allows threat actors to gain root access to networks. It has a stealthy Command-and-Control (C2) function and burrows into targets’ networks and exfiltrates data without raising suspicions. The standout feature of this malware is that it does not start its own network service but instead relies on legitimate network services running on computers that are already compromised. The malware allows the attackers to communicate across a network of infected computers and picks the optimal path for communications between those computers in a single sweep. It works by hijacking the encryption key exchange process between networked computers based on incoming TCP traffic signals that indicate whether a given connection is worth targeting.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in