Previously undocumented rootkit being deployed by Chinese APT
Daxin malware has some really clever C2 techniques to exfiltrate intelligence
Security researchers at Broadcom Software's Symantec have identified a previously unseen, highly sophisticated rootkit that, comparatively unusually, comes in the form of a Windows kernel driver. Dubbing it Daxin, they said it was "without doubt the most advanced piece of malware... seen used by a China-linked actor."
The Daxin malware has been seen on the infrastructure of government organizations as well as telcos, transportation, and manufacturing companies, the Symantec Threat hunter team said, adding that several of the victims were identified with the help of the PwC Threat Intelligence team. Attacks have been seen as recently as November 2021 but samples suggest that the rootkit has been developed since at least 2013.
A corresponding alert from CISA meanwhile warned that the Daxin malware noted that it comes with "complex, stealthy command and control (C2) functionality that enabled remote actors to communicate with secured devices not connected directly to the internet. Daxin appears to be optimized for use against hardened targets, allowing the actors to deeply burrow into targeted networks and exfiltrate data without raising suspicions."
The US cybersecurity agency said it worked with Symantec -- which has published some limited IOCs as part of a top-level overview and promised more technical detail in coming days -- to engage "multiple governments targeted with Daxin malware and assisted in detection and remediation" via Broadcom's membership in the Joint Cyber Defense Collaborative (JCDC); a public-private partnership launched by CISA in August 2021.
Daxin malware monitors TCP/IP traffic for patterns it can hijack
Daxin monitors all incoming TCP traffic for certain patterns and having spotted a suitable one, disconnects the legitimate recipient and takes over the connection, Symantec said: "It then performs a custom key exchange with the remote peer, where two sides follow complementary steps. The malware can be both the initiator and the target of a key exchange. A successful key exchange opens an encrypted communication channel for receiving commands and sending responses. Daxin’s use of hijacked TCP connections affords a high degree of stealth to its communications and helps to establish connectivity on networks with strict firewall rules."
"It may also lower the risk of discovery by SOC analysts monitoring for network anomalies."
The malware can also create a new communications channel across multiple infected computers with a single command, sending a message to each "node" with details required to establish communication like the node IP address, TCP port number, and the credentials to use during custom key exchange.
"When Daxin receives this message, it picks the next node from the list. Then it uses its own TCP/IP stack to connect to the TCP server listed in the selected entry. Once connected, Daxin starts the initiator side protocol. If the peer computer is infected with Daxin, this results in opening a new encrypted communication channel. An updated copy of the original message is then sent over this new channel, where the position of the next node to use is incremented. The process then repeats for the remaining nodes on the list.
Working as a backdoor the malware has a comparatively limited set of functions such as reading and writing arbitrary files; its real value is in its stealth and communications capabilities, Symantec said.
Security researchers may be frustrated at the comparatively limited details in the Symantec post but with updates promised soon The Stack will aim to update this piece as soon as we have more.
Follow The Stack on LinkedIn
Daxin malware IOCs, per Symantec:
Malware related to Daxin activity:
81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1 Backdoor.Daxin (32-bit core)
06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4 Backdoor.Daxin (64-bit core)
0f82947b2429063734c46c34fb03b4fa31050e49c27af15283d335ea22fe0555 Backdoor.Daxin (64-bit core)
3e7724cb963ad5872af9cfb93d01abf7cd9b07f47773360ad0501592848992f4 Backdoor.Daxin (64-bit core)
447c3c5ac9679be0a85b3df46ec5ee924f4fbd8d53093125fd21de0bff1d2aad Backdoor.Daxin (64-bit core)
49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530 Backdoor.Daxin (64-bit core)
5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae Backdoor.Daxin (64-bit core)
5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a Backdoor.Daxin (64-bit core)
6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f Backdoor.Daxin (64-bit core)
7867ba973234b99875a9f5138a074798b8d5c65290e365e09981cceb06385c54 Backdoor.Daxin (64-bit core)
7a08d1417ca056da3a656f0b7c9cf6cd863f9b1005996d083a0fc38d292b52e9 Backdoor.Daxin (64-bit core)
8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce Backdoor.Daxin (64-bit core)
b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427 Backdoor.Daxin (64-bit core)
b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3 Backdoor.Daxin (64-bit core)
cf00e7cc04af3f7c95f2b35a6f3432bef990238e1fa6f312faf64a50d495630a Backdoor.Daxin (64-bit core)
e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e Backdoor.Daxin (64-bit core)
ea3d773438c04274545d26cc19a33f9f1dbbff2a518e4302addc1279f9950cef Backdoor.Daxin (64-bit core)
08dc602721c17d58a4bc0c74f64a7920086f776965e7866f68d1676eb5e7951f Backdoor.Daxin (dropper)
53d23faf8da5791578c2f5e236e79969289a7bba04eee2db25f9791b33209631 Backdoor.Daxin (dropper)
7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376 Backdoor.Zala (32-bit core)
8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e Backdoor.Zala (32-bit core)
96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc Backdoor.Trojan (32-bit core)
9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51 Backdoor.Trojan (32-bit core)
c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c Backdoor.Trojan (32-bit core)
e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217 Backdoor.Trojan (32-bit core)
File names attributed to Daxin activity:
"ipfltdrvs.sys"
"ndislan.sys"
"ndislan_win2008_x64.sys"
"ntbios.sys"
"patrol.sys"
"performanceaudit.sys"
"print64.sys"
"printsrv64.sys"
"prv64.sys"
"sqlwriter.sys"
"srt.sys"
"srt64.sys"
"syswant.sys"
"usbmrti.sys"
"vncwantd.sys"
"wantd.sys"
"win2k8.sys"
"wmipd.sys"
"[CSIDL_SYSTEM]\drivers\pagefile.sys"
"[CSIDL_SYSTEM]\spool\drivers\ntds.sys"
Malware observed during overlapping activities:
705be833bd1880924c99ec9cf1bd0fcf9714ae0cec7fd184db051d49824cbbf4 suspected Backdoor.Daxin
c791c007c8c97196c657ac8ba25651e7be607565ae0946742a533af697a61878 suspected Backdoor.Daxin
514d389ce87481fe1fc6549a090acf0da013b897e282ff2ef26f783bd5355a01 Trojan.Emulov (core)
1a5c23a7736b60c14dc50bf9e802db3fcd5b6c93682bc40141d6794ae96138d3 Trojan.Emulov (dropper)
a0ac5f7d41e9801b531f8ca333c31021c5e064f13699dbd72f3dfd429f19bb26 Trojan.Owprox (core)
aa7047a3017190c66568814eb70483bf74c1163fb4ec1c515c1de29df18e26d7 Trojan.Owprox (dropper)