Another stealthy, rootkit backdoor used for espionage has been uncovered. The malware, dubbed Daxin and Backdoor.Daxin, is capable of carrying out attacks against hardened networks, said Symantec Threat Hunter team researchers.
A Look into Daxin Backdoor
Daxin is described as a “highly sophisticated piece of malware being used by China-linked threat actors.” The tool has been exhibiting previously unseen technical complexity, and has been used in long-term espionage campaigns against specific governments and critical infrastructure organizations.
Backdoor.Daxin allows threat actors to perform sophisticated data gathering operations against targets of strategic interest to China. In fact, Daxin is not the only tool associated with Chinese APT (Advanced Persistent Threat) actors, discovered on some of the infected computers Symantec accessed.
Exactly how sophisticated is Daxin?
“Daxin is without doubt the most advanced piece of malware Symantec researchers have seen used by a China-linked actor. Considering its capabilities and the nature of its deployed attacks, Daxin appears to be optimized for use against hardened targets, allowing the attackers to burrow deep into a target’s network and exfiltrate data without raising suspicions,” according to the report.
It is evident that the author (threat actor) invested “significant effort” in making the malware very hard to detect. It is capable of blending in with normal network traffic, while remaining unseen. Furthermore, it specifically avoids starting its own network services, and instead abuses legitimate services already running on the compromised systems.
The malware is also capable of network tunneling, making it possible for threat actors to communicate with legitimate services on the infected host that can be accessed from any infected computer. Its other malicious capabilities include reading and writing arbitrary files, initiating arbitrary processes and interacting with them, hijacking legitimate TCP/IP connections. There’s also the capability of deploying additional components on the compromised host.
Other Recently Discovered Sophisticated Backdoors
Another recently uncovered sophisticated backdoor malware is SockDetour, targeting U.S.-based defense contractors. Researchers describe it as a custom backdoor, which can also act as a backup backdoor in case the primary one is removed from the compromised system. The analysis shows that it is difficult to detect, as it operates in a fileless and socketless mode on affected Windows servers.