Daxin Malware All the Way from China

Researchers from Symantec have discovered a highly sophisticated dubbed Daxin, Chinese hacking tool that has been able to escape public attention for more than a decade.

CISA was announcing Symantec’s inclusion into a joint public-private cybersecurity information sharing partnership, known as the JCDC.

The JCDC, or Joint Cyber Defense Collaborative, is a collective of government defense agencies, including the FBI and National Security Agency, and 22 U.S. technology companies that share intelligence about active cyberattacks with one another.

Chinese officials have previously said China is also a victim of hacking and opposes all forms of cyber attacks. Symantec’s attribution to China is based on instances where components of Daxin were combined with other known, Chinese-linked computer hacker infrastructure or cyberattacks.

Symantec researchers said the discovery of Daxin was noteworthy because of the scale of the intrusions and the advanced nature of the tool.

Daxin operates as a Windows kernel driver. It is designed “optimized,” for the use of single external command to hop from infected system to infected system on a single network with varying security measures put in place. While it is not unusual to use multiple infected systems to bridge across systems, usually it takes individual instructions from node to node.

Daxin appears to have been in continuous use since its development, with the most recent sample being collected by Symantec in November 2021. There is code overlap with Exforel (a.k.a. Zala) malware, which had similar features but less obsessive security and Symantec now assumes came from the same development team. Symantec believes that team was active since 2009.

Daxin’s capabilities suggest the attackers invested significant effort into developing communication techniques that can blend in unseen with normal network traffic. Daxin’s victims included high-level, non-western government agencies in Asia and Africa, including Ministries of Justice.

Indicators of Compromise

• 06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4 Backdoor.Daxin (64-bit core)
• 0f82947b2429063734c46c34fb03b4fa31050e49c27af15283d335ea22fe0555 Backdoor.Daxin (64-bit core)
• 3e7724cb963ad5872af9cfb93d01abf7cd9b07f47773360ad0501592848992f4 Backdoor.Daxin (64-bit core)
• 447c3c5ac9679be0a85b3df46ec5ee924f4fbd8d53093125fd21de0bff1d2aad Backdoor.Daxin (64-bit core)
• 49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530 Backdoor.Daxin (64-bit core)
• 5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae Backdoor.Daxin (64-bit core)
• 5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a Backdoor.Daxin (64-bit core)
• 6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f Backdoor.Daxin (64-bit core)
• 7867ba973234b99875a9f5138a074798b8d5c65290e365e09981cceb06385c54 Backdoor.Daxin (64-bit core)
• 7a08d1417ca056da3a656f0b7c9cf6cd863f9b1005996d083a0fc38d292b52e9 Backdoor.Daxin (64-bit core)
• 8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce Backdoor.Daxin (64-bit core)
• b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427 Backdoor.Daxin (64-bit core)
• b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3 Backdoor.Daxin (64-bit core)
• cf00e7cc04af3f7c95f2b35a6f3432bef990238e1fa6f312faf64a50d495630a Backdoor.Daxin (64-bit core)
• e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e Backdoor.Daxin (64-bit core)
• ea3d773438c04274545d26cc19a33f9f1dbbff2a518e4302addc1279f9950cef Backdoor.Daxin (64-bit core)
• 08dc602721c17d58a4bc0c74f64a7920086f776965e7866f68d1676eb5e7951f Backdoor.Daxin (dropper)
• 53d23faf8da5791578c2f5e236e79969289a7bba04eee2db25f9791b33209631 Backdoor.Daxin (dropper)
• 7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376 Backdoor.Zala (32-bit core)
• 8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e Backdoor.Zala (32-bit core)
• 96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc Backdoor.Trojan (32-bit core)
• 9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51 Backdoor.Trojan (32-bit core)
• c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c Backdoor.Trojan (32-bit core)
• e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217 Backdoor.Trojan (32-bit core)

File names attributed to Daxin activity:

“ipfltdrvs.sys”

“ndislan.sys”

“ndislan_win2008_x64.sys”

“ntbios.sys”

“patrol.sys”

“performanceaudit.sys”

“print64.sys”

“printsrv64.sys”

“prv64.sys”

“sqlwriter.sys”

“srt.sys”

“srt64.sys”

“syswant.sys”

“usbmrti.sys”

“vncwantd.sys”

“wantd.sys”

“win2k8.sys”

“wmipd.sys”

“[CSIDL_SYSTEM]\drivers\pagefile.sys”

“[CSIDL_SYSTEM]\spool\drivers\ntds.sys”

Malware observed during overlapping activities:

• 705be833bd1880924c99ec9cf1bd0fcf9714ae0cec7fd184db051d49824cbbf4 suspected Backdoor.Daxin
• c791c007c8c97196c657ac8ba25651e7be607565ae0946742a533af697a61878 suspected Backdoor.Daxin
• 514d389ce87481fe1fc6549a090acf0da013b897e282ff2ef26f783bd5355a01 Trojan.Emulov (core)
• 1a5c23a7736b60c14dc50bf9e802db3fcd5b6c93682bc40141d6794ae96138d3 Trojan.Emulov (dropper)
• a0ac5f7d41e9801b531f8ca333c31021c5e064f13699dbd72f3dfd429f19bb26 Trojan.Owprox (core)
• aa7047a3017190c66568814eb70483bf74c1163fb4ec1c515c1de29df18e26d7 Trojan.Owprox (dropper)