Daxin Malware : New Espionage Backdoor

Daxin is a type of Backdoor which is developed with the goal of cyberespionage. According to Cyber Security and Infrastructure Security Agency (CISA), “Daxin malware is a highly sophisticated rootkit backdoor with complex, stealthy command-and-control (C2) functionality that enabled remote actors to communicate with secured devices not connected directly to the internet. Daxin appears to be optimized for use against hardened targets, allowing the actors to deeply burrow into targeted networks & exfiltrate data without raising suspicions”.

In current research by Symantec Threat hunter team, they found a highly sophisticated piece of malware which is being used by Chinese-linked threat actors. After thorough analysis they find out that the malware appears to be used in a long-running cyberespionage campaign against some selective governments & other critical infrastructure targets.

 

Technical Overview of Daxin: –

Daxin comes in the form of Windows kernel driver which is a very rare format for malware nowadays. Its features resemble with Regin, an advanced espionage tool which is discovered by Symantec in 2014. It implements advanced communications mechanism, which provides this malware a high degree of stealth & also allow the attackers to communicate with infected computers on highly secured networks, where no direct internet connection is available.

It is developed in such a way that it does not open its own network services. Instead, it uses any legitimate services which is already running on infected computers. It means this malware blend its network traffic with normal network traffic of target’s network which makes it stealthier.

It is capable of relaying its communications across the network of infected computers present within the attacked organization. This feature is used by attacker in selecting an arbitrary path across infected computer & then sending a command which gives instruction to establish requested connectivity between them.

It also features network tunneling which allow attackers to communicate with legitimate services present on victim’s network which can be reached from any infected computer.

 

Detail Analysis of Daxin: –

It is a backdoor which allows attacker to perform a lot of operations on victim machine like reading and writing arbitrary files, start arbitrary process & interact with them. Its main ability is stealth & communication capabilities.

It communicates by hijacking legitimate TCP/IP connections. In order to do so, it monitors all incoming TCP connections for any specific pattern. When it detects any pattern then it disconnects the legitimate user and takes over the connection. It then performs custom key exchange with remote peer. Malware can be both initiator and target of key exchange. After successfully exchanging the key, it opens an encrypted communication channel for receiving commands and sending responses. By using this hijacked TCP connection, it provides a high degree of stealth to the malware communications & also helps in establishing connectivity on networks with strict firewall rules.

Daxin built-in functionality can increase by deploying some additional components on infected computer. It provides a specific mechanism by implementing a device named as \\.\TCP4. Malicious components can open this device to register themselves for communication. Each of the components can associate a 32-bit service identifier with the opened \\.\Tcp4 handle. After doing this attacker is able to communicate with selected components by specifying a matching service identified when sending message of certain type. Driver also includes some mechanism to send back any responses.

There are also some messages which encapsulate raw network packets to be transmitted via local network adapter. It then tracks network flows, such that any response packets are captured and forwarded to remote attacker. This allows the attacker to establish connection with legitimate services which are accessible from infected machine on target’s network, where remote attacker uses network tunnels to interact with internal servers of interest.

 

Malware related to Daxin activity: –

81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1 Backdoor.Daxin (32-bit core)
06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4 Backdoor.Daxin (64-bit core)
0f82947b2429063734c46c34fb03b4fa31050e49c27af15283d335ea22fe0555 Backdoor.Daxin (64-bit core)
3e7724cb963ad5872af9cfb93d01abf7cd9b07f47773360ad0501592848992f4 Backdoor.Daxin (64-bit core)
447c3c5ac9679be0a85b3df46ec5ee924f4fbd8d53093125fd21de0bff1d2aad Backdoor.Daxin (64-bit core)
49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530 Backdoor.Daxin (64-bit core)
5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae Backdoor.Daxin (64-bit core)
5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a Backdoor.Daxin (64-bit core)
c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c Backdoor.Trojan (32-bit core)
e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217 Backdoor.Trojan (32-bit core)

 

File names associated with Daxin activity: –

  • “ipfltdrvs.sys”
  • “ndislan.sys”
  • “ndislan_win2008_x64.sys”
  • “ntbios.sys”
  • “patrol.sys”
  • “performanceaudit.sys”
  • “print64.sys”
  • “printsrv64.sys”
  • “prv64.sys”
  • “sqlwriter.sys”
  • “srt.sys”
  • “srt64.sys”
  • “syswant.sys”
  • “usbmrti.sys”
  • “vncwantd.sys”
  • “wantd.sys”
  • “win2k8.sys”
  • “wmipd.sys”
  • “[CSIDL_SYSTEM]\drivers\pagefile.sys”
  • “[CSIDL_SYSTEM]\spool\drivers\ntds.sys”

 

Malware observed during overlapping activities: –

705be833bd1880924c99ec9cf1bd0fcf9714ae0cec7fd184db051d49824cbbf4 suspected Backdoor.Daxin
c791c007c8c97196c657ac8ba25651e7be607565ae0946742a533af697a61878 suspected Backdoor.Daxin
514d389ce87481fe1fc6549a090acf0da013b897e282ff2ef26f783bd5355a01 Trojan.Emulov (core)
1a5c23a7736b60c14dc50bf9e802db3fcd5b6c93682bc40141d6794ae96138d3 Trojan.Emulov (dropper)
a0ac5f7d41e9801b531f8ca333c31021c5e064f13699dbd72f3dfd429f19bb26 Trojan.Owprox (core)
aa7047a3017190c66568814eb70483bf74c1163fb4ec1c515c1de29df18e26d7 Trojan.Owprox (dropper)

 

Remediation Measures: –

To avoid such types of attacks we follow certain measures like: –

  • Always be careful while downloading any documents.
  • Ensure Endpoint protection and Antivirus and Anti Malware should be configured and with hardening on all end nodes.
  • Opensource/Pirated Software’s execution should be prohibited.
  • Web proxy should be implemented.
  • Security patches need to be applied on all end devices.
  • Data-Loss Prevention (DLP) need to be implemented on the end devices.
  • Implementation of Web Application firewall (WAF) with strong security policy, consider using Load balancer in front of WAF for high traffic
  • Configure Outbound and Inbound rules on web and application server and ports need to filtered via firewall.
  • Filter the ports for any traffic coming in with parameter level IPS.
  • NextGen Firewalls should be implemented with firmware and malicious signature with hardly configured with best security practices.