US warns Chinese hackers have their ‘most advanced’ backdoor yet

A white padlock on a dark digital background.

(Image credit: Shutterstock.com)

An “ancient” Chinese malware, capable of avoiding advanced threat detection solutions, has been spotted in the wild, once again, researchers are saying.

Experts from Symantec have published a report detailing their findings on Daxin, “the most advanced piece of malware” the company says it has ever had the chance to observe.

The team claims that Daxin is a stealthy backdoor designed to gain control over, and exfiltrate data from, endpoints on tough-to-break corporate networks.

Finally spotted

According to the report, Daxin was created by Slug, also known as Owlproxy, a threat actor with ties to the Chinese government. It was first spotted in 2013, and even a decade ago, it was already capable of avoiding detection from state-of-the-art antivirus solutions.

It lay dormant until late 2019 (or security pros were just unable to detect it, which is also highly likely), when it re-emerged, targeting telecommunication, transportation, and manufacturing companies, all throughout 2020 and 2021.

What makes Daxin stand out from other malware is its atypical form and the way it hides its communications with the C2 server. The malware is described as a Windows kernel driver that looks for patterns in network traffic.

Once it spots a pattern, it will hijack the legitimate TCP connection and use it to send out data and receive further instructions.

> Linux systems targeted with dangerous new Chinese malware

> This Linux backdoor went undetected for 10 years

> More cyberattacks come from China than the rest of the world combined, FBI head claims

"Considering its capabilities and the nature of its deployed attacks, Daxin appears to be optimized for use against hardened targets, allowing the attackers to burrow deep into a target’s network and exfiltrate data without raising suspicions," Symantec says.

"Daxin’s use of hijacked TCP connections affords a high degree of stealth to its communications and helps to establish connectivity on networks with strict firewall rules. It may also lower the risk of discovery by SOC analysts monitoring for network anomalies."

Another thing that makes Daxin particularly dangerous is its ability to set up a complex communication channel through multiple endpoints, enabling persistence on highly guarded networks.

Symantec did not say the names of organizations the group was targeting this time around.

Check out the best firewalls right now

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.