Espionage & Daxin Chinese-Linked Malware Attacks Multiple Governments
Malware used for espionage activities are fairly different from other types commonly employed in cyber crimes. The capabilities of such malware include optimization for use against targets that are secured. This attribute allows the attackers to penetrate deep into a target’s systems and exfiltrate data without even being noticed.
Researchers at Symantec Threat Hunter team have discovered a highly developed piece of malware which has been used in attacks since 2013 at least. They have dubbed this malware as Daxin. There are reasons to believe that it is China-linked. The inference is not based on any direct evidence but on the fact that Daxin is often deployed alongside tools that are known to be associated with Chinese threat actors.
Daxin is a backdoor malware which is capable of installing further malicious software. It can also perform network tunneling, relay across infected nodes, and hijack legitimate TCP/IP connections. Its level of sophistication and longevity is rare for a China-linked malware. Chinese threat actors usually worked on a simple idea: break in, achieve the objective, get out. They never had a tendency to remain under the radar for an extended period of time. Daxin is unique in that respect.
Although researchers at Symantec believe that Daxin has a narrow set of capabilities, it is an incredibly complex piece of code. It performs tasks it is programmed for in a superb manner. For instance, Daxin’s ability to communicate is phenomenal. And yet it manages to lie low and stays undetected. It hijacks TCP/IP features by monitoring traffic while closely keeping track of patterns. Once this task is done, it snaps the connection of original recipient. This enables Daxin to perform key exchange in a unique way. And this unorthodox performance lets Daxin to be “both the initiator and the target of a key exchange.”
Symantec researchers observe, “This mode of operations allows the malware to avoid firewall rules by hijacking legitimate traffic, and it also minimizes the chance that security teams notice any network anomalies.
Meanwhile, the US Cybersecurity and Infrastructure Security Agency (CISA) has informed that, “Daxin malware is a highly sophisticated rootkit backdoor with complex, stealthy command-and-control (C2) functionality that enables remote actors to communicate with secured devices not connected directly to the internet.”
Once Daxin lodges itself in a system, it takes the form of a Windows kernel driver that activates a chain of elaborate communication commands. This action equips the malware with a high degree of stealth and the ability to communicate with other machines not connected to the internet. In short, the malware is recognized for its two key features—stealth and effective communications—besides others. This level of sophistication makes Daxin a very dangerous malware to deal with and nearly impossible to detect.
The researches at Symantec have confirmed that Daxin’s technologically advanced code is most suitable for launching long running espionage campaigns. The malware permits the attackers to launch communications and information-gathering operations against a variety of businesses and organizations like telecom, manufacturing and transportation. Evidently, Chinese-linked threat actors would indulge in such activities only to serve strategic interests of their country.
The team investigating Daxin’s continuous stealthy and clandestine activities has stated, “Most of the targets appear to be organizations and governments of strategic interest to China.”
There is no doubt now that Daxin is the most sophisticated piece of malware ever detected by cyber security professionals. That it is capable of staying undetected, while undermining the systems it has infiltrated in, makes it even more dangerous. The researchers will have to work overtime to find an effective counter measure for this elusive code.
