Background
Symantec recently published research on Daxin backdoor, which they called the “most advanced” malware they have seen from Chinese threat actors.
What is Daxin Backdoor?
Daxin backdoor, active in the wild since at least November 2013, is being used by an unspecified Chinese threat actor group in an espionage campaign targeting governments and critical infrastructure of strategic interest to China. Victim locations and details were not provided. The most recent known attacks using Daxin occurred in November 2021.
Daxin’s sophistication is apparent in its capabilities to infect hardened targets without being detected. It is a Windows kernel driver and uses advanced communications functionality to remain undetected. Rather than starting its own network services, Daxin abuses legitimate TCP/IP services already running. To accomplish this, Daxin monitors all incoming TCP traffic for certain patterns, and when those conditions are fulfilled, Daxin disconnects the user and commandeers the connection. Next, it engages in a custom key exchange with the peer, opening an encrypted channel of communication for sending and receiving data and commands. Using this stealthy method for network communication allows the threat actors to bypass firewall rules and to evade detection by SOC analysts.
Symantec researchers noted Daxin’s most interesting capability is to create a new communications channel across multiple infected machines using a single command to provide the list of nodes. Some of Daxin’s other capabilities include reading and writing arbitrary files and allowing the threat actor to start and interact with arbitrary processes. Functionality can be extended by deploying additional components on the victim’s machine.
Symantec says Daxin seems to be based on Zala backdoor’s networking techniques. They also said Daxin was deployed along with the Owprox/Owlproxy trojan in 2019. While Symantec did not attempt to attribute Daxin to a particular threat actor, Lab52 previously attributed Owlproxy to the Chinese APT group known as Chimera.
IOCs
PolySwarm has multiple samples associated with Daxin backdoor activity.
Hashes
e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217
96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc
9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51
5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a
8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce
b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3
e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e
5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae
7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376
b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427
06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4
a0ac5f7d41e9801b531f8ca333c31021c5e064f13699dbd72f3dfd429f19bb26
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports
