Symantec’s Threat Hunter Team has reported the discovery of a new malware called Backdoor.Daxin that it said is linked to China and “exhibit[s] technical complexity previously unseen by such actors.”
Daxin is a backdoor malware that allows its controller to install further malicious software, has network tunneling capabilities, can relay communications across infected nodes, is able to hijack legitimate TCP/IP connections and is otherwise an incredibly complex piece of code.
As recently as November 2021, Daxin has been involved with attacks linked to Chinese actors, generally against targets with a strategic value for China. It has also been spotted in telecommunications, transportation and manufacturing sector victims. Unfortunately for those thinking it’s a new threat that has yet to spread, that’s not the case.
Daxin has been around in some form since around 2013, Symantec said. Its age might show in how it infects its targets, which it does disguised as a malicious Windows kernel driver, Something Symantec notes is relatively rare for modern malware.
One attack likely to have originated from China that made use of Daxin, was a November 2019 attack against an unnamed IT company in which the attackers used another Chinese malware tool called Owlproxy. In another instance in May 2020, Daxin and an Owlproxy install were both found on a single computer at another unnamed tech company.
SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)
Lastly, in July 2020 a failed attack against a military target involved two attempts to install a “suspicious driver” before falling back to the Emulov trojan. While not definitely linked to China or Daxin, Symantec says the behavior is similar enough that it suggests Daxin was involved.
“Considering its capabilities and the nature of its deployed attacks, Daxin appears to be optimized for use against hardened targets, allowing the attackers to burrow deep into a target’s network and exfiltrate data without raising suspicions,” Symantec said.
What Daxin is capable of
As mentioned above, Daxin is a complicated piece of malware that shows serious skill on the part of its developers. Symantec describes it as having a narrow set of capabilities, but the things that it does, it does incredibly well.
Take, for example, how Daxin communicates without being noticed: It hijacks TCP/IP sessions. Daxin does this by monitoring traffic, looking for certain patterns and then disconnecting the original recipient. Once it grabs the traffic, it performs a key exchange in such a way that Symantec said it “can be both the initiator and target of a key exchange.”
This method allows Daxin to avoid strict firewall rules by hijacking legitimate traffic, and it also minimizes the chance that security teams notice any network anomalies.
Speaking of communication, Daxin can also encapsulate raw network packets in such a way that any response packets sent are forwarded to the attacker, allowing them to communicate with legitimate services on the infected machine’s network.
What Symantec calls its most interesting feature is Daxin’s ability to make hops across multiple infected nodes with just a single command. Hopping around a compromised network is typical, Symantec said, but not in a single action; most attackers get from node to node one command at a time.
With Daxin, however, “this process is a single operation, suggesting the malware is designed for attacks on well-guarded networks, where attackers may need to periodically reconnect into compromised computers.”
Is there a way to stay safe from Daxin?
Symantec doesn’t say much about how Daxin infects its targets, though it has said that its reporting on Daxin will be in multiple parts, which may contain remediation recommendations.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Based on what Symantec said in its examples, Daxin’s controllers may be directly hacking into networks using tools like PsExec (used in the 2019 case) rather than seeding malicious documents and relying on users to open them.
With that in mind, keeping networks safe from Daxin is likely to require following known cybersecurity best practices, as well as specific best practices for businesses like SMBs and for specialized networks like IC, /IIoT and OT.
Subscribe to the Cybersecurity Insider Newsletter
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays