The US Cybersecurity and Infrastructure Security Agency (CISA) reported that , “Daxin malware is a highly sophisticated rootkit backdoor with complex, stealthy command-and-control (C2) functionality that enables remote actors to communicate with secured devices not connected directly to the internet.“
The backdoor, dubbed Daxin by Broadcom’s Symantec Threat Hunter team, is a technologically advanced malware that allows attackers to conduct a variety of communications and information-gathering operations aimed at entities in the telecom, transportation and manufacturing sectors that are of strategic interest to China.
The installation is a Windows system driver that implements a complex communications mechanism that gives the malware a high level of stealth and the ability to communicate with PCs that are not connected to the internet.
It accomplishes this by refusing to establish its own network services, instead opting to use legal TCP/IP services already operating on infected systems to blend its communications with normal network traffic and accept commands from a distant peer.
Daxin’s ability to relay commands across a network of infected computers within the attacked organisation, creating a “multi-node communications channel” that allows recurring access to the compromised computers for extended periods of time, is one of its unusual features, aside from the fact that it generates no suspicious network traffic and thus remains undetected.
While recent backdoor attacks are reported to have occurred in November 2021, Symantec claims to have discovered code-level similarities with an older piece of malware named Exforel (aka Zala), indicating that Daxin was created by an attacker having access to the backdoor.
Although the campaigns have not been linked to a single opponent, a timeline of the attacks reveals that Daxin was installed on some of the same computers as tools linked to other Chinese espionage actors such as Slug. In May 2020, a single computer belonging to a tech company was infected with both Daxin and Owprox viruses.
Finally the researchers concluded that , “Daxin is the most advanced piece of malware employed by a China-linked actor. Based on its capabilities and the type of its deployed attacks , Daxin appears to be optimised for use against hardened targets, allowing attackers to tunnel deep into a target’s network and exfiltrate data without being detected.”