Symantec Discovers Advanced Cyber Espionage Tool Linked to China
The U.S. Cybersecurity and Infrastructure Security Agency issued an alert Monday about a China-linked, stealthy new cyber threat called Daxin, which is optimized for hardened targets that are not connected directly to the internet.
The alert calls out the work of Symantec’s Threat Hunter Team, which is preparing a series of blog posts on the threat, the first of which was published on 28 February. The alert said the team discovered the malicious software and then worked with CISA to neutralize the threat in multiple governments' networks that were targeted.
There’s new insight from the Symantec @threatintel team into Daxin #Malware. Learn more about these advanced attacks and our work to stop them. https://t.co/EM6d9H8QSo
— Symantec by Broadcom Software (@symantec) February 28, 2022
Daxin is a so-called backdoor application, meaning it provides access to a network in a way that bypasses the system’s security protocols. From the Symantec blog post:
“Daxin is without doubt the most advanced piece of malware Symantec researchers have seen used by a China-linked actor. Considering its capabilities and the nature of its deployed attacks, Daxin appears to be optimized for use against hardened targets, allowing the attackers to burrow deep into a target’s network and exfiltrate data without raising suspicions.”
In an article from Cyberscoop, Dick O’Brien described Daxin as “near the same level as malware we’ve seen attributed to Western powers, but maybe not as well put together.”
Symantec reported that it has identified deployments in “government organizations, as well as in the telecommunications, transportation, and manufacturing sectors.” The most recent known use of Daxin is November 2021, however Symantec’s analysis of the malware shows that it has been in use since at least 2013.
Daxin is delivered in the form of a Windows kernel driver and sets up communications pathways that are incredibly hard to detect, according to the Symantec report. Malware is often identified when the software creates its own network services to function, but Daxin is able to sidestep this detection by using legitimate services already running on the system. The blog post offers a much more detailed analysis of how the malware works.
The Massachusetts Institute of Technology’s Technology Review published an article by Partick Howell O’Neill, who noted that the discovery of Daxin is the most recent example of how China has become the latest cyber espionage super power.
How China built a one-of-a-kind cyber-espionage behemoth to last https://t.co/ohPhXpk8GR
— MIT Technology Review (@techreview) March 1, 2022
“The newly discovered malware is no one-off,” he wrote. “It’s yet another sign that a decade-long quest to become a cyber superpower is paying off for China. While Beijing’s hackers were once known for simple smash-and-grab operations, the country is now among the best in the world thanks to a strategy of tightened control, big spending, and an infrastructure for feeding hacking tools to the government that is unlike anything else in the world.”
China’s capabilities in this area rival that of the United States and could even exceed it, according to the article.