‘Most advanced’ China-linked backdoor ever, Daxin, raises alarms for cyber-espionage investigators

A backdoor in use as recently as November 2021 is the “most advanced piece of malware” ever seen from China-linked spies, according to researchers at Symantec.

The cybersecurity company said Monday that the backdoor, dubbed Daxin, is part of “a long-running espionage campaign against select governments and other critical infrastructure targets,” most of them being of strategic interest to China. The malware “appears to be optimized for use against hardened targets, allowing the attackers to burrow deep into a target’s network and exfiltrate data without raising suspicions,” the researchers said.

“This isn’t really comparable to any other strains of China-linked malware in our opinion. It’s on another level,” Dick O’Brien, principal editor for the Symantec Threat Intelligence Team, told CyberScoop. “It would be near the same level as malware we’ve seen attributed to Western powers, but maybe not as well put together.”

Symantec, part of Broadcomm Software, said it worked with the U.S. government’s new public-private initiative, the Joint Cyber Defense Collaborative (JCDC), to share information about Daxin. The company cooperated with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) “to engage with multiple foreign governments targeted with Daxin.”

Symantec’s interaction with the JCDC, in this case, was the “perfect example of the private sector and government working together,” said Clayton Romans, associate director of CISA.

“These kinds of threats pose a dynamic challenge and require a team effort that CISA is uniquely positioned to enable,” Romans said. “The more we collaborate, the better we can provide for the collective defense of critical infrastructure, here and abroad.”

In addition to government targets, Daxin has been used against entities in the telecommunications, transportation and manufacturing sectors, the report said. Some of the targets were identified with the help of threat intelligence specialists at consultancy PwC. Symantec said potential Daxin uses began as early as 2013.

Daxin keeps quiet

Daxin allows attackers to read and write files and start processes, but “its real value to attackers lies in its stealth and communications capabilities,” Symantec said.

The malware is capable of hijacking legitimate TCP/IP connections and exchanging digital keys with a remote peer. (TCP/IP stands for “Transmission Control Protocol/Internet Protocol,” and is used to communicate between computers.) A successful key exchange then lets it open an encrypted communication channel for receiving commands and sending information back to the remote source.

“Daxin’s use of hijacked TCP connections affords a high degree of stealth to its communications and helps to establish connectivity on networks with strict firewall rules,” the Symantec report said. “It may also lower the risk of discovery by SOC [security operations center] analysts monitoring for network anomalies.”

That stealth is part of what separates Daxin from previously identified malware, O’Brien said.

“It’s notable in the way it integrates itself into legitimate machine behavior, generating no suspicious network traffic but also in the way it can create peer-to-peer networks of nodes of infected computers, allowing the attackers to penetrate deep into protected assets in targeted organizations,” he said.

The Symantec research comes as Chinese researchers are embracing the business of outing the cyber-espionage tools of Western powers. Last week the China-based cybersecurity company Pangu Lab accused the U.S. National Security Agency of being behind a decade-old exploit.

Update: Adds comments from CISA official, March 1, 8:45 a.m.