US warns Chinese hackers have their ‘most advanced’ backdoor yet

An “ancient” Chinese malware, capable of avoiding advanced threat detection solutions, has been spotted in the wild, once again, researchers are saying.

Experts from Symantec have published a report detailing their findings on Daxin, “the most advanced piece of malware” the company says it has ever had the chance to observe.

The team claims that Daxin is a stealthy backdoor designed to gain control over, and exfiltrate data from, endpoints on tough-to-break corporate networks.

TechRadar needs you!

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time, and entrants from the UK and US will have the chance to enter a draw for a £100 Amazon gift card (or equivalent in USD). Thank you for taking part.

>> Click here to start the survey in a new window <<

Finally spotted

According to the report, Daxin was created by Slug, also known as Owlproxy, a threat actor with ties to the Chinese government. It was first spotted in 2013, and even a decade ago, it was already capable of avoiding detection from state-of-the-art antivirus solutions.

It lay dormant until late 2019 (or security pros were just unable to detect it, which is also highly likely), when it re-emerged, targeting telecommunication, transportation, and manufacturing companies, all throughout 2020 and 2021. 

What makes Daxin stand out from other malware is its atypical form and the way it hides its communications with the C2 server. The malware is described as a Windows kernel driver that looks for patterns in network traffic.

Once it spots a pattern, it will hijack the legitimate TCP connection and use it to send out data and receive further instructions. 

Read more

> Linux systems targeted with dangerous new Chinese malware

> This Linux backdoor went undetected for 10 years

> More cyberattacks come from China than the rest of the world combined, FBI head claims

"Considering its capabilities and the nature of its deployed attacks, Daxin appears to be optimized for use against hardened targets, allowing the attackers to burrow deep into a target’s network and exfiltrate data without raising suspicions," Symantec says.

"Daxin’s use of hijacked TCP connections affords a high degree of stealth to its communications and helps to establish connectivity on networks with strict firewall rules. It may also lower the risk of discovery by SOC analysts monitoring for network anomalies." 

Another thing that makes Daxin particularly dangerous is its ability to set up a complex communication channel through multiple endpoints, enabling persistence on highly guarded networks.

Symantec did not say the names of organizations the group was targeting this time around.

• Check out the best firewalls right now