Last Updated on 02/03/2022 by Nidhi Khandelwal
Since at least 2013, a previously unknown espionage tool has been used against a number of governments and vital infrastructure targets as part of a long-running espionage campaign directed by China-linked threat actors.
The backdoor, dubbed Daxin by Broadcom’s Symantec Threat Hunter team, is a technologically advanced malware that allows attackers to conduct a variety of communications and information-gathering operations aimed at entities in the telecom, transportation, and manufacturing sectors that are of strategic interest to China.
In an independent advisory, the US Cybersecurity and Infrastructure Security Agency (CISA) stated, “Daxin malware is a highly sophisticated rootkit backdoor with complex, stealthy command-and-control (C2) functionality that enables remote actors to communicate with secured devices not connected directly to the internet.”
The implant is a Windows kernel driver that implements a complex communications mechanism that gives the malware a high level of stealth and the ability to communicate with PCs that are not connected to the internet.
It accomplishes this by refusing to establish its own network services, instead opting to use legal TCP/IP services already operating on infected systems to blend its communications with normal network traffic and accept commands from a distant peer.
“These traits remind us of Reign,” the researchers said, alluding to a sophisticated malware and hacking toolkit credited to the US National Security Agency (NSA) in 2014 for government eavesdropping activities.