Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Symantec: Super-Stealthy ‘Daxin’ Backdoor Linked to Chinese Threat Actor

Threat hunters at Symantec are calling global attention to a new, highly sophisticated piece of malware being used by a Chinese threat actor to burrow into — and hijack data from — government and critical infrastructure targets.

Threat hunters at Symantec are calling global attention to a new, highly sophisticated piece of malware being used by a Chinese threat actor to burrow into — and hijack data from — government and critical infrastructure targets.

The malware, called Daxin, features “technical complexity previously unseen by such actors” and SecurityWeek sources confirm it is the handiwork of a Chinese threat actor first documented by Microsoft in December 2012.

“Most of the targets appear to be organizations and governments of strategic interest to China. In addition, other tools associated with Chinese espionage actors were found on some of the same computers where Daxin was deployed,” according to public documentation from Symantec’s Threat Hunter Team.

“Daxin is without doubt the most advanced piece of malware Symantec researchers have seen used by a China-linked actor,” the team declared, warning that Daxin appears to be optimized for use against hardened targets, allowing the attackers to burrow deep into an infected network to exfiltrate data without raising suspicions.

[ READ: ‘Regin’ Attack Platform Targeted GSM Networks ]

Symantec released indicators of compromise (IOCs) and technical details alongside documentation on how the Daxin malware implements advanced communications functionality for “a high degree of stealth” and even connections to send and receive commands on highly secured networks where direct internet connectivity is not available. 

Daxin Malware

The researchers said these advanced command-and-control features are reminiscent of Regin, an advanced espionage tool publicly attributed to Western intelligence services.

Advertisement. Scroll to continue reading.

The advanced features seen in the Daxin malware suggest the attackers invested significant effort into developing communication techniques that can blend in unseen with normal network traffic on the target’s network. 

Specifically, Symantec’s sleuths discovered that the malware has the ability to abuse any legitimate services already running on the infected computers, meaning it can avoid starting its own network services. 

“Daxin is also capable of relaying its communications across a network of infected computers within the attacked organization. The attackers can select an arbitrary path across infected computers and send a single command that instructs these computers to establish requested connectivity,” the researchers explained.

[ READ: Rob Joyce Details ‘Sand and Friction’ Security Strategy ]

They found the malware also using network tunneling to let attackers communicate with legitimate services on the victim’s network that can be reached from any infected computer.

“While the set of operations recognized by Daxin is quite narrow, its real value to attackers lies in its stealth and communications capabilities,” Symanted noted, warning that the malware can communicate by hijacking legitimate TCP/IP connections. 

“Daxin’s use of hijacked TCP connections affords a high degree of stealth to its communications and helps to establish connectivity on networks with strict firewall rules. It may also lower the risk of discovery by SOC analysts monitoring for network anomalies,” the company warned.

Symantec said it found Daxin infections in government organizations and entities in the telecommunications, transportation, and manufacturing sectors.   

The company’s research team found multiple technical links to confidently attribute Daxin to known Chinese espionage actors. 

Related: ‘Regin’ Attack Platform Targeted GSM Networks

Related: Researchers Detail Regin Attack Platform Modules

Related: Symantec Uncovers Stealthy Nation-State Cyber Attack Platform

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.