Symantec, a subsidiary of Broadcom and a member of the U.S. Cybersecurity and Infrastructure Security Agency’s Joint Cyber Defense Collaborative, has uncovered a new malware strain the company calls the most advanced piece of malware ever linked to China-based threat actors.
The Symantec Threat Hunter team says it uncovered malware that appears to be used in a long-running espionage campaign against government agencies and critical infrastructure targets, and exhibits technical complexity never seen before by such actors, the company says.
The disclosure caught the attention of CISA, which published an alert linking back to Symantec’s detailed analysis of the malware, dubbed Daxin.
According to Symantec, Daxin, is a backdoor that may have been used as recently as November 2021 by attacks linked to China. It allows attackers to perform communications and data-gathering operations on an infected computer, and appears optimized for use against hardened targets, “allowing the attackers to burrow deep into a target’s network and exfiltrate data without raising suspicions.”
The Daxin malware comes in the form of a Windows kernel driver, which Symantec notes is a relatively rare format for modern malware. The malware implements advanced communications that provide stealth capabilities and enable attackers to communicate with infected computers on highly secure networks where direct internet connectivity is not available.
Symantec says these features are similar to Regin, which it calls an advanced espionage tool discovered by Symantec in 2014 and largely attributed to Western intelligence agencies.
These capabilities indicate that attackers invested significant time and effort into developing the ability to blend into normal network traffic and avoid starting its own network services. Instead, Daxin can abuse legitimate services already running on the infected computer.
The malware is capable of relaying its communications across a network of infected computers within the targeted organization, allowing attackers to select an arbitrary patch across infected computers to send a single command that instructs the machines to establish requested connectivity.
Daxin also includes network tunneling so attackers can communicate with legitimate services on the victim’s network that can be reached from any infected computer.
Symantec notes that the most interesting capability of Daxin is the ability to create a new communication channel across multiple infected computers where the list of nodes is provided by the attacker in a single command.
For each node, the message includes all the details required to establish communication, including the node IP address, TCP port number, and the credentials to use during custom key exchange. When the malware receives the message, it picks the next node from the list, an then uses its own TCP/IP stack to connect to the TCP server listed in the selected entry.
“Once connected, Daxin starts the initiator side protocol,” Symantec says in a blog. “If the peer computer is infected with Daxin, this results in opening a new encrypted communication channel. An updated copy of the original message is then sent over this new channel, where the position of the next node to use is incremented. The process then repeats for the remaining nodes on the list.”
According to Symantec, the malware is rather limited, but provides great value with its stealth and communication capabilities, including the ability to hijack legitimate TCP/IP connections by monitoring all incoming TCP traffic for certain patterns. When those patterns are detected, Daxin takes over the connection and performs a custom key exchange with the remote peer, which opens an encrypted communication channel for receiving commands and sending responses.
This can be augmented by deploying additional components on the infected computer via a dedicated communication mechanism by implementing a device named “\\.\Tcp4,” according to Symantec.
“The malicious components can open this device to register themselves for communication. Each of the components can associate a 32-bit service identifier with the opened \\.\Tcp4 handle. The remote attacker is then able to communicate with selected components by specifying a matching service identified when sending messages of a certain type. The driver also includes a mechanism to send back any responses.”
Daxin was used against government agencies and entities in the telecommunications, transportation and manufacturing sectors, with the earliest known sample dating back to 2013. Notable examples include a 2019 attack against an information technology company and 2020 attacks against a technology company and a military target, according to Symantec.
Other tools associated with China-linked espionage actors were found on some of the same computers where the malware was deployed, the company says.
For mitigation steps and a list of indicators of compromise, visit the Symantec Threat Hunter blog.