New malware attributed to China — more technologically advanced, stealthy and long-lasting than any seen before from the country — is challenging the orthodoxy of Chinese threat intelligence.
Researchers at Broadcom's Symantec division on Monday detailed and attributed the malware they have dubbed Daxin, which has been used in attacks in some form since at least 2013. Nine years is extreme longevity for any threat actor, especially China — not regarded as a nation interested primarily in staying under the radar. In its report, Symantec dubs Daxin "the most advanced piece of malware Symantec researchers have seen from China-linked actors."
"The common belief that actors operating in China are always targeting low-hanging fruit, always creating malware that can be detected pretty quickly after it enters in a network or target? That's not only flawed, but Daxin shows that it has been flawed for a period of time," said Vikram Thakur, technical director at Symantec Threat Intelligence.
China joins nations like Russia in having separate efforts for louder smash-and-grab operations and barely noticeable stealth operations. With China, there opens up an entirely new class of victims: ones who may react to noticing an attack in a way that could jeopardize ongoing missions.
"All the victims that we're aware of — these are not organizations that hold intellectual property or commercial information. This is classic espionage-driven piece of malware," said Thakur.
The malware stays stealthy by not opening new network services or communicating in any way that would raise red flags. Instead, it hijacks legitimate TCP/IP services, listening on port 80 for traffic patterns it can interpret as a command.
Daxin operates as a Windows kernel driver. It is designed "optimized," the report says, for the use of single external command to hop from infected system to infected system on a single network with varying security measures put in place. While it is not unusual to use multiple infected systems to bridge across systems, usually it takes individual instructions from node to node.
Daxin appears to have been in continuous use since its development, with the most recent sample being collected by Symantec in November 2021. There is code overlap with Exforel (a.k.a. Zala) malware, which had similar features but less obsessive security and Symantec now assumes came from the same development team. Symantec believes that team was active since 2009.
Beyond code overlap, including a library only seen in use previously by the Exforel actor in 2019 and 2020, the Daxin malware was seen alongside an attack from the China-linked Owlproxy. In November 2019, when Daxin failed to install, attackers switched to Owlproxy in an attack on a technology company. The following May, Daxin and Owlproxy were installed on the same system of a different technology company.
The Symantec blog includes indicators of compromise, associated filenames, and other malware seen during Daxin attacks.
Symantec collaborated with Cybersecurity and Infrastructure Security Agency through the Joint Cyber Defence Collaborative public/private partnership to establish connections with foreign governments about what potential victims Symantec detected.
"Within 48 hours of contacting JCDC, we put on a call with the first government that we worked with, along with DHS and JCDC," said Thakur. "I guess when the U.S. government calls, other countries pick up the phone."