IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

China's "most advanced" malware uncovered after nine years in operation

Daxin appears to be have used in a long-running espionage campaign against select government and critical infrastructure targets

New “highly sophisticated” China-linked malware has been discovered which exhibits technical complexity previously unseen by such actors.

The malware, which was discovered by the Symantec Threat Hunter team, appears to have been used in a long-running espionage campaign against select government and other critical infrastructure targets.

The researchers have named the malware Backdoor.Daxin and have worked with the Cybersecurity and Infrastructure Security Agency (CISA) to engage with multiple foreign governments targeted with Daxin and assist them with detection and remediation of this malware.

What is Daxin?

Daxin allows attackers to perform various communications and data-gathering operations on an infected computer. The researchers said there’s strong evidence that it has been used as recently as November 2021 by attackers linked to China. Additionally, other tools associated with Chinese espionage actors were found on some of the computers where Daxin was deployed.

Symantec researchers said it is, without doubt, the most advanced piece of malware they’ve seen used by a China-linked actor. They added that Daxin appears to be optimised for use against hardened targets, allowing attackers to burrow deep into a target’s network and exfiltrate data without raising suspicions.

How does Daxin work?

Daxin comes in the form of a Windows kernel driver, which is a relatively rare format for malware nowadays. It implements advanced communications functionality, which gives it a high degree of stealth and allows attackers to communicate with infected computers on highly secured networks, where direct internet connectivity is not available. Symantec said these features are reminiscent of Regin, an advanced espionage tool it discovered in 2014 that has been linked to Western intelligence services.

Its capabilities led researchers to believe the attackers invested significant effort into developing communication techniques that can blend in unseen with normal network traffic on the target’s network. The malware avoids starting its own network services but can abuse any legitimate services already running on the infected computers.

Daxin can also relay its communications across a network of infected computers within the attacked organisation. Attackers can select an arbitrary path across infected computers and send a single command that instructs them to establish requested connectivity. It also features network tunnelling, allowing attackers to communicate with legitimate services on the victim’s network that can be reached from any infected computer.

What makes Daxin different to other malware?

Daxin allows attackers to perform operations on infected computers like reading and writing arbitrary files, as well as starting arbitrary processes and interacting with them. However, its real value, said the researchers, lies in its stealth and communications capabilities.

It can hijack legitimate TCP/IP connections by monitoring all incoming TCP traffic for certain patterns. When the patterns are detected, it disconnects the legitimate recipient and takes over the connection. It can then perform a custom key exchange with the remote peer, where two sides follow complementary steps. The malware can be both the initiator and the target of a key exchange.

A successful key exchange opens an encrypted communication channel for receiving commands and sending responses. This can help Daxin establish connectivity on networks with strict firewall rules, and may lower the risk of discovery.

Researchers said that the most interesting functionality might be its ability to create new communication channels across multiple infected computers, where the list of nodes is provided by the attacker in a single command. For each node, the message includes all the necessary details to establish communication, specifically the node IP address, its TCP port number, and the credentials for the custom key exchange.

Related Resource

Modernise your server infrastructure for speed and security

Infrastructure lifecycle automation paves the way for an adaptive, resilient organisation

Whitepaper cover with title and block dark green rectangle with grey and white arrow graphicsFree Download

When Daxin receives the message, it picks the next node from the list, then uses its own TCP/IP stack to connect to the TCP server listed in the selected entry. Once connected, the malware starts the initiator side protocol. If the peer computer is infected, this results in opening a new encrypted communication channel. An updated copy of the original message is then sent over to the new channel, and the process is repeated for the remaining nodes.

“While it is not uncommon for attackers’ communications to make multiple hops across networks in order to get around firewalls and generally avoid raising suspicions, this is usually done step-by-step, such that each hop requires a separate action,” wrote the researchers. “However, in the case of Daxin, this process is a single operation, suggesting the malware is designed for attacks on well-guarded networks, where attackers may need to periodically reconnect into compromised computers.”

Where was Daxin discovered?

Symantec’s team identified Daxin deployments in government organisations as well as entities in the telecommunications, transportation, and manufacturing sectors.

While the most recent attacks involving the malware was in November 2021, the earliest known sample of Daxin is from 2013 and includes the advanced features seen in the most recent variants. Symantec said this suggests the attackers were already well established by 2013.

Before developing Daxin, researchers think that the attackers were experimenting with other techniques. An older piece of malware, Backdoor.Zala or Exforel, contained a number of common features but didn’t have Daxin’s advanced capabilities. Daxin appears to build on Zala’s networking techniques, leading researchers to believe its designers had access to Zala’s codebase.

Has Daxin been linked to espionage actors?

Researchers have found several examples of attacks where tools known to be associated with Chinese espionage actors have been observed along with what appear to be variants of Daxin.

There was an attack against an IT company in November 2019, where the attackers used a single PsExec session to first attempt to deploy Daxin before resorting to Owprox. Owprox is associated with the China-linked Slug.

There was also malicious activity in May 2020 where Daxin and Owprox were seen on a single computer belonging to an unnamed technology company.

Lastly, there was also an attack against a military target in July 2020, where attackers made two unsuccessful attempts to deploy a suspicious driver. When these failed, attackers deployed a variant of Emulov instead. Symantec believes it is highly likely the attackers attempted to deploy Daxin before falling back on other malware.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Skills shortages expected to hit over 90% of Australian and New Zealand businesses
Careers & training

Skills shortages expected to hit over 90% of Australian and New Zealand businesses

28 Jun 2022
Why India wants to become a chipmaking powerhouse
components

Why India wants to become a chipmaking powerhouse

28 Jun 2022
Samsung fined $14 million over misleading water resistance claims across its Galaxy smartphones
Mobile Phones

Samsung fined $14 million over misleading water resistance claims across its Galaxy smartphones

23 Jun 2022
Toshiba eyes $22bn buyout offer in bid to go private
Business strategy

Toshiba eyes $22bn buyout offer in bid to go private

23 Jun 2022

Most Popular

Salaries for the least popular programming languages surge as much as 44%
Development

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022
The UK's best cities for tech workers in 2022
Business strategy

The UK's best cities for tech workers in 2022

24 Jun 2022
LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022