Skip links

China-linked malware targeted secure networks at ‘multiple governments’

The United States’ Cybersecurity and Infrastructure Security Agency (CISA), working with security vendor Symantec, has found an extremely sophisticated network attack tool that can invisibly create backdoors, has been plausibly linked to Chinese actors, and may have been in use since 2013.

Symantec’s threat hunting team has named the malware “Daxin” and described it as “a stealthy backdoor designed for attacks on hardened networks”. The Broadcom-owned security firm says it’s found samples of the malware dating back to 2013, and that features present in recent versions were also found in older cuts of the code. Those recent versions of the malware have been associated with “China-linked threat actors”.

CISA’s advisory about the malware describes it as “a highly sophisticated rootkit backdoor with complex, stealthy command and control functionality that enabled remote actors to communicate with secured devices not connected directly to the internet”. The agency asserts that Daxin “appears to be optimized for use against hardened targets, allowing the actors to deeply burrow into targeted networks and exfiltrate data without raising suspicions”.

Symantec’s analysis of the malware states it’s been used as recently as November 2021 by attackers linked to the Middle Kingdom, and that whoever wields it has targeted “organizations and governments of strategic interest to China”.

Wherever it comes from, Daxin is nasty.

Symantec says it ships as a Windows kernel driver and works to hijack legitimate TCP/IP connections.

“In order to do so, it monitors all incoming TCP traffic for certain patterns,” Symantec’s analysis states. “Whenever any of these patterns are detected, Daxin disconnects the legitimate recipient and takes over the connection. It then performs a custom key exchange with the remote peer, where two sides follow complementary steps.”

Once key exchange has been conducted, Daxin opens an encrypted communication channel for receiving commands and sending responses. By hijacking connections, Daxin may evade firewall rules.

Daxin can also perform the following tricks:

  • Create a new communications channel across multiple infected computers, with attackers able to send a single message specifying which nodes they want to participate in this effort. The network then self-assembles and creates encrypted links between nodes and retransmits the message ordering use of each node. Symantec suggests this design was chosen to work on well-guarded networks that force periodic reconnection.
  • Encapsulate raw network packets to be transmitted via the local network adapter. Daxin then tracks network flows so that any response packets are captured and forwarded to the remote attacker. This feature means attackers can communicate with legitimate services that are reachable from the infected machine on the target’s network.
  • Deploy additional stealthy comms components, one of which allows a remote attacker to communicate with selected components.

Symantec’s explainer promises further revelations about Daxin. That will be welcome, because at the time of writing we know that unnamed China-linked entities appear to have been able to drop a very stealthy backdoor into states’ secured networks – but we don’t know when and where those attacks happened, or the results of any compromises. The Register is eyeing off this rotting load of infosec carrion and we’ll bring you more news as it becomes available. ®