Hot Topics
Analytics & Intelligence Cloud Security Cloud Security Cybersecurity Data Security DevOps Editorial Calendar Endpoint Featured Incident Response IoT & ICS Security Malware Most Read This Week Network Security News Popular Post Securing the Cloud Security Boulevard (Original) Spotlight Threat Intelligence Threats & Breaches Vulnerabilities 

Revealed: Daxin—‘China-Linked’ Advanced Stealth Backdoor

by Richi Jennings on March 1, 2022

Researchers unveiled espionage malware from China yesterday. What they’re calling Backdoor.Daxin “is, without doubt, the most advanced piece of malware” they’ve seen from The People’s Republic.

With the assistance of U.S. CISA, the team has finally identified the use of Daxin, which they first saw in 2013. “Designed for attacks on well-guarded networks,” it’s being used against governments and infrastructure, and has been for years.

It’s all part of Xi Jinping’s goal to make China a “cyber superpower.” In today’s SB Blogwatch, we go hunting for heffalump.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Fascinating deep-sea animals.

‘Oh, Bother,’ Said Pooh

What’s the craic? Bill Toulas reports—“Chinese cyberspies target govts with their ‘most advanced’ backdoor”:

First sampled back in 2013
Daxin [is] a China-linked stealthy backdoor specifically designed for deployment in hardened corporate networks that feature advanced threat detection capabilities. [It] is one of the most advanced backdoors ever seen deployed by Chinese actors.

By hijacking TCP communications, [Daxin] can hide malicious communication in what is perceived as legitimate traffic and thus remain undetected. [It] essentially opens an encrypted communication channel for transmitting or stealing data … through a seemingly innocuous TCP tunnel, [via] intricate communication pathways across multiple infected computers at once. [Thus] the chances of the malicious traffic being marked as suspicious are kept at a minimum.

Threat analysts [linked] Daxin to the Chinese state-backed hacking group Slug (aka Owlproxy). [It] has been actively used in attacks since at least November 2019 … even though it’s likely that the stealthy hackers simply remained undetected [before then, because] the malware was first sampled back in 2013.

Context plz? Patrick Howell O’Neill adds color—“How China built a one-of-a-kind cyber-espionage behemoth”:

Make China a cyber superpower
It’s yet another sign that a decade-long quest … is paying off for China. … The country is now among the best in the world thanks to a strategy of tightened control, big spending, and an infrastructure for feeding hacking tools to the government that is unlike anything else in the world.

Chinese cyber researchers are effectively banned from attending international hacking events and competitions, tournaments they once dominated … with regulation requiring all software security vulnerabilities to be reported to the government first, giving Chinese officials unparalleled early knowledge that can be used for defensive or offensive hacking operations. … No one other country exerts such tight control over such a vast and talented class of security researchers.

Soon after he ascended to power, President Xi Jinping began a reorganization … which prioritized cyberwarfare and initiated a “fusion” of military and civilian organizations. … Daxin is just the latest powerful tool linked to China over the past year. … Xi’s stated goal is to make China a “cyber superpower.” By any measure, he’s done it.

Horse’s mouth? Broadcom—“Stealthy Backdoor Designed for Attacks Against Hardened Networks”:

Highly probable China-linked
The malware appears to be used in a long-running espionage campaign against select governments and other critical infrastructure targets … by attackers linked to China. Most of the targets appear to be organizations and governments of strategic interest to China.

Daxin comes in the form of a Windows kernel driver. … Considering its capabilities and the nature of its deployed attacks, Daxin appears to be optimized for use against hardened targets. … Daxin includes some of the most complex features we have seen in a highly probable China-linked malware campaign.

ELI5? WarlockD explains like I’m five:

Scary to know it’s out there
Basically it’s a smart kernel driver. It will build a mesh network on non-internet systems until it can find an outside connection. It will piggyback on TCP or any other communication channels. … Once it finds an open internet connection it will watch for a pattern before it opens up an encrypted channel to get commands.

It’s not a new vector per se, but it shows what a real actor can do when they’ve got time and money. This thing can infect something and just sit there for years until activated, or it could be sending live updates from a mail server with no one being the wiser. [It’s] scary to know it’s out there and its been out there for 10 years.

But how does this TCP hijack work? Benjamin Winston—@industrybambam—makes an educated guess:

Protocol-aware proxying matters
I think it’s saying that Daxin won’t initiate or receive connections of any kind but rather trigger on certain strings. Yes, both ends would already have to be compromised, but they now know to use this socket.

If only one side is compromised then the protocol needs to recover. In the case of HTTP this would just be a 400 response followed by the legit endpoint picking back up where it left off. Pretty ingenious really. It’s basically a dog whistle for, “Do you speak backdoor?”

This is why protocol-aware proxying matters. If a connection suddenly starts speaking an entirely different protocol it’s probably a backdoor.

Interesting. Paul Crawford picks up that baton and runs with it:

Reminds me why our one “this has to be windows” server is firewalled from sending data out—not just connections coming in.

Here come the fanbois. mspohr exercises the narrative:

Another Windows virus. People are stupid to run Windows.

O RLY? This Anonymous Coward asks the operative question:

I thought Windows didn’t allow unsigned kernel drivers to be loaded. Is this thing signed by a trusted key? Whose?

Meanwhile, Mark Lechtik signs off, digitally:

The digital signature on some of the samples, signed by Anhua Xinda Technology Co., was in use by the XPath rootkit, tool leveraged by a Chinese-speaking TA against Central Asian targets around 2017.

And Finally:

Nightmare fuel from the deep

Hat tip: Tusk

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: EH Shepard (public domain)

Recent Articles By Author
More from Richi Jennings
Richi Jennings , , , , ,

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 605 posts and counting.See all posts by richi

Secure Guardrails