Malware is identified after 10 years in circulation

Highly sophisticated malware has been circulating for more than a decade without being identified. The discovery was made by Symantec researchers, who pointed out that the Backdoor. Daxin malware appears to be used in a long-running espionage campaign against governments and other targets associated with critical infrastructure.

The backdoor allows you to run arbitrary processes and interact with them, and while Daxin’s set of operations is restricted, its power lies in communication and the ability to act stealthily.

According to Symantec, there is strong evidence that Daxin performs various communication and data collection operations on infected computers and was used in November 2021 by agents linked to China against governments and organizations of strategic interest to that country. In addition, other tools associated with Chinese spies were found on some of the same computers on which Daxin was deployed.

Although the most recent Daxin attacks occurred last year, the earliest known version of the malware dates back to 2013 and included all the advanced features seen in more recent variants. To Symantec, this suggests that the plague was already well established around 10 years ago.

The malware is the most advanced among those Symantec researchers have identified in association with China. The virtual plague appears to be optimized to dig deep into victims’ networks and extract data without raising suspicion.

Symantec is working with the Cybersecurity and Infrastructure Security Agency (CISA) to call on the various governments targeted by Daxin to cooperate in detecting and fixing the vulnerabilities.

Modus operandi

The Daxin backdoor, which presents itself in the format of a Windows kernel driver, appears to focus on communication techniques that blend in with normal traffic on victims’ networks. Specifically, it avoids starting its own network services and instead uses legitimate services running on the infected computers.

Daxin is able to communicate by hijacking legitimate TCP/IP connections. To do this, it monitors incoming TCP traffic patterns. Whenever any such pattern is detected, it disconnects the legitimate recipient and takes over the connection. It then performs a custom key exchange with the remote peer. If the key exchange is successful, it opens an encrypted communication channel to receive commands and send replies.

Daxin’s use of hijacked TCP connections provides a high degree of secrecy for communication and helps establish network connections even when strict firewall rules are in place. This modus operandi also reduces the chances of the backdoor being discovered by systems that monitor anomalies in network traffic. There are also dedicated messages that encapsulate raw network packets to be transmitted by the local network card.

Perhaps Daxin’s most interesting feature is its ability to create a communication channel between infected computers, in which the list of nodes is provided by the attacker in a single command. For each node, the message includes the details necessary to establish communication, specifically the IP address, its TCP port number, and the credentials to be used during the custom key exchange. When Daxin receives this message, it chooses the next node in the list. It then uses its own TCP/IP stack to connect to the TCP server listed in the selected entry.

Making multiple hops between nodes on victims’ networks to bypass firewalls and avoid raising suspicion is a well-known tactic by attackers, but it is usually done in several actions. In Daxin’s case, that process is accomplished in a single operation that can break into and spread through well-protected networks in one shot.

Daxin’s victims include government agencies in Asia and Africa, among them Ministries of Justice.