Researchers have discovered a new, highly sophisticated and multifunctional backdoor used by a Chinese threat actor to target government agencies and critical infrastructure organizations in countries.
The malware is known as Daxin and the earliest samples are from 2013, though researchers at Symantec said it has been used as recently as November. Daxin has a long list of capabilities, some of which are standard fare for modern backdoors, but it also has an unusual communication system that enables remote attackers to use multiple infected machines on a network as hops to disguise traffic. The malware appears to be specifically tailored for use against well-defended networks and shares some common features and functionality with another piece of malware, known as Zala or Exforel.
“Daxin appears to build on Zala’s networking techniques, reusing a significant amount of distinctive code and even sharing certain magic constants. This is in addition to a certain public library used to perform hooking that is also common between some variants of Daxin and Zala. The extensive sharing indicates that Daxin designers at least had access to Zala’s codebase. We believe that both malware families were used by the same actor, which became active no later than 2009,” the Symantec researchers said in a new analysis published Monday.
The Daxin backdoor has been used against several types of targets, including military organizations, government agencies, critical infrastructure operators, and others. Symantec’s Threat Hunter Team did not specifically attribute Daxin to a known group, but said that Daxin has been used alongside the Owprox malware, which is linked to the OwlProxy APT group. The researchers described Daxin as “without a doubt the most advanced piece of malware” used by a Chinese threat group.
“Considering its capabilities and the nature of its deployed attacks, Daxin appears to be optimized for use against hardened targets, allowing the attackers to burrow deep into a target’s network and exfiltrate data without raising suspicions,” the researchers said.
Among the unusual aspects of Daxin is the fact that it takes the form of a Windows kernel driver and uses an odd communication protocol. The protocol looks to be designed with an eye toward preventing detection and ensuring persistent communication with infected machines.
“Perhaps the most interesting functionality is the ability to create a new communications channel across multiple infected computers, where the list of nodes is provided by the attacker in a single command. For each node, the message includes all the details required to establish communication, specifically the node IP address, its TCP port number, and the credentials to use during custom key exchange,” the researchers said.
“When Daxin receives this message, it picks the next node from the list. Then it uses its own TCP/IP stack to connect to the TCP server listed in the selected entry. Once connected, Daxin starts the initiator side protocol. If the peer computer is infected with Daxin, this results in opening a new encrypted communication channel. An updated copy of the original message is then sent over this new channel, where the position of the next node to use is incremented. The process then repeats for the remaining nodes on the list.”
Like many malware tools used by top tier actos, Daxin is not widely distributed, but rather is used in targeted attacks on carefully selected organizations. Symantec researchers are still in the process of analyzing Daxin and plan to release more details in the coming weeks.