A previously undocumented spy tool has been deployed against select governments and other critical infrastructure targets as part of a long-running spy campaign orchestrated by China-linked threat actors for at least 10 years. minus 2013.
Broadcom’s Symantec Threat Hunter team characterized the backdoor, codenamed Daxin, as technologically advanced malware, allowing attackers to perform a variety of communication and information-gathering operations aimed at entities in the telecommunications, transportation and manufacturing that are of strategic interest. in China.
“The Daxin malware is a highly sophisticated rootkit backdoor with complex and stealthy command-and-control (C2) functionality that allows remote actors to communicate with secure devices not directly connected to the Internet,” the U.S. Security Agency said. cybersecurity and infrastructure security (CISA). in independent counsel.
The implant takes the form of a Windows kernel driver that implements an elaborate communication mechanism that provides malware with a high degree of stealth and the ability to communicate with machines that are physically disconnected from the Internet.
It achieves this by expressly avoiding launching its own network services, opting instead to take advantage of legitimate TCP/IP services already running on infected computers to mix its communications with normal traffic on the target’s network and receive commands from a remote peer.
“These features are reminiscent of Regin,” the researchers noted, referring to another sophisticated malware and hacking toolkit attributed to the US National Security Agency (NSA) for government spy operations in 2014. .
Among the unusual aspects of Daxin, in addition to not generating any suspicious network traffic to remain invisible, is its ability to relay commands over a network of infected computers within the attacked organization, creating a “communication channel multi-node” that allows recursive access to the compromise. computers for long periods.
While recent intrusions involving the backdoor allegedly occurred in November 2021, Symantec said it discovered code-level commonalities with older malware called Exforel (aka Zala), indicating that Daxin may have been built by an actor. having access to the latter’s code base or that they are the work of the same group.
The campaigns have not been traced to a single adversary, but a timeline of the attacks shows that Daxin was installed on some of the same systems where tools associated with other Chinese spy actors like Slug were found. This includes the deployment of Daxin and Owprox malware to a single computer belonging to a technology company in May 2020.
“Daxin is undoubtedly the most advanced malware […] used by a China-linked actor,” the researchers said. “Given its capabilities and the nature of its attacks deployed, Daxin appears to be optimized for use against hardened targets, allowing attackers to dig deep into the target’s network and exfiltrate data without arousing suspicion.”
The disclosure comes a week after China-based Pangu Lab exposed a ‘top tier’ backdoor called Bvp47, used by the US National Security Agency for more than a decade targeting up to 287 organizations in 45 countries located mainly in China, Korea, Japan, Germany, Spain, India and Mexico.