A previously undocumented espionage tool has been deployed against selected governments and other critical infrastructure targets as part of a long-running espionage campaign orchestrated by China-linked threat actors since at least 2013.
Broadcom’s Symantec Threat Hunter team characterized the backdoor, named Daxin, as a technologically advanced malware, allowing the attackers to carry out a variety of communications and information-gathering operations aimed at entities in the telecom, transportation, and manufacturing sectors that are of strategic interest to China.
“Daxin malware is a highly sophisticated rootkit backdoor with complex, stealthy command-and-control (C2) functionality that enables remote actors to communicate with secured devices not connected directly to the internet,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an independent advisory.
The implant takes the form of a Windows kernel driver that implements an elaborate communications mechanism that affords the malware a high degree of stealth and the capability to talk to machines that are physically disconnected from the internet.
It achieves this by expressly avoiding launching its own network services, instead opting to take advantage of legitimate TCP/IP services already running on the infected computers to blend its communications with normal traffic on the target’s network and receive commands from a remote peer.
images from Hacker News