Symantec recently published research on Daxin backdoor, which they called the “most advanced” malware they have seen from Chinese threat actors.
What is Daxin Backdoor?
Daxin backdoor, active in the wild since at least November 2013, is being used by an unspecified Chinese threat actor group in an espionage campaign targeting governments and critical infrastructure of strategic interest to China. Victim locations and details were not provided. The most recent known attacks using Daxin occurred in November 2021.
Daxin’s sophistication is apparent in its capabilities to infect hardened targets without being detected. It is a Windows kernel driver and uses advanced communications functionality to remain undetected. Rather than starting its own network services, Daxin abuses legitimate TCP/IP services already running. To accomplish this, Daxin monitors all incoming TCP traffic for certain patterns, and when those conditions are fulfilled, Daxin disconnects the user and commandeers the connection. Next, it engages in a custom key exchange with the peer, opening an encrypted channel of communication for sending and receiving data and commands. Using this stealthy method for network communication allows the threat actors to bypass firewall rules and to evade detection by SOC analysts.
Symantec researchers noted Daxin’s most interesting capability is to create a new communications channel across multiple infected machines using a single command to provide the list of nodes. Some of Daxin’s other capabilities include reading and writing arbitrary files and allowing the threat actor to start and interact with arbitrary processes. Functionality can be extended by deploying additional components on the victim’s machine.
Symantec says Daxin seems to be based on Zala backdoor’s networking techniques. They also said Daxin was deployed along with the Owprox/Owlproxy trojan in 2019. While Symantec did not attempt to attribute Daxin to a particular threat actor, Lab52 previously attributed Owlproxy to the Chinese APT group known as Chimera.
PolySwarm has multiple samples associated with Daxin backdoor activity.