Daxin, a China-linked stealthy backdoor mainly built for deployment in fortified corporate networks with superior threat detection capabilities, has been uncovered by security experts. According to a technical analysis published by Symantec’s Threat Hunter team, Daxin is one of the most complex backdoors ever seen deployed by Chinese hackers.
This backdoor stands out because of its form, a Windows kernel driver, which is an unusual option in the malware world. Its stealth originates from innovative communication capabilities that blend data sharing with conventional internet traffic.
Threat actors can use backdoors to gain remote access to a hacked computer system, allowing them to steal data, run commands, or download and install other malware. These tools must employ some kind of data transfer encryption or obfuscation to avoid raising alarms on network traffic monitoring tools because they are often used to steal information from secured networks or further corrupt a device.
Daxin does this by looking for particular patterns in network data on a device. After discovering certain patterns, it will hijack a genuine TCP connection and exploit it to interact with the command-and-control server. The Daxin malware may mask harmful communication in what seems to be ordinary traffic and so go unnoticed by hijacking TCP conversations.
“Daxin’s use of hijacked TCP connections affords a high degree of stealth to its communications and helps to establish connectivity on networks with strict firewall rules. It may also lower the risk of discovery by SOC analysts monitoring for network anomalies,” explains the report by Symantec.
This effectively creates an encrypted communication channel for sending or stealing data across a harmless TCP tunnel. Daxin is particularly notable for its capacity to make complex communication paths across several infected machines simultaneously by sending a single instruction to a group of nodes.
Threat actors can quickly re-establish connections and encrypted communication channels in well-protected networks due to this. Simultaneously, while the nodes are online and serve as relay points, the odds of malicious traffic flagging as suspicious are minimized.
Symantec’s threat experts have discovered evidence tying Daxin to the Chinese state-backed hacker outfit Slug (also known as Owlproxy). According to reports, the backdoor has been regularly employed in cyberattacks from at least November 2019, with traces of its deployment being seen again in May and July 2020. Daxin’s most recent attacks, which targeted telecommunications, transportation, and manufacturing organizations, were observed in November 2021.
It’s worth noting that Symantec believes the malware was initially sampled in 2013, with advanced detection and evasion capabilities similar to those seen in the latest version. However, no Daxin-related attacks were discovered until later, despite the stealthy hackers being likely to have gone unnoticed until 2019.