Researchers at Broadcom's Symantec, who detailed "China's most advanced piece of malware" on the last day of February, believe they have tracked down the pseudonym of one of its developers.
"We have data which points the development of this tool to a certain persona in Chinese forums," said Vikram Thakur, technical director at Symantec Threat Intelligence.
The malware, known as Daxin, would upend many assumptions about how China operates its espionage operations. Traditionally an actor not overly concerned with stealth, Daxin stayed under the radar for a decade or more.
Daxin's low profile came from a clever hijacking of Windows TCP to disguise traffic as legitimate, announced in the February blog, and a limited set of targets. Symantec is only aware of "one or two" infections a year, said Thakur, which remained constant throughout the duration of the malware.
"We have pretty decent visibility," he said. "One or two [for us] might convert to three or four" overall.
Thakur spoke to SC as Symantec released two new blogs detailing the internals of the malware.
The first explains how driver-based Daxin malware hooks into the Network Driver Interface Specification of Windows. The malware looks for a "magic byte" in the data section of TCP packets. Daxin can also reach out to its handler by staging a DNS request and interpreting the response. The connections initiate a key exchange to open a secure communications channel.
The second blog details advanced communications between networked, infected systems and discloses the magic byte values — China has used two over time. The malware is optimized for complex instructions involving multiple machines. Using limited instructions, one system could tell a second to use a third as a proxy to contact a fourth.
Thakur said that while the magic byte is an interesting internal quirk, attackers will, obviously, change the value after it has now been exposed. The best defense for network defenders is to search for anomalous drivers and unusual use of PowerShell, which Daxin's users take advantage of in the course of their attack.
Symantec attributed the malware to a Chinese government-affiliated actor based on code overlaps and an instance where a Daxin was installed or attempted by actors attributable to China, both detailed in the February blog.
Thakur estimated that 80% of targets were governments related to Chinese interests.
As Symantec has catalogued infections, Thakur said that the vector for installation in all known cases were known vulnerabilities in internet-facing programs. The unknown cases originated on internet-facing systems.