The Threat Hunter Team at Symantec, working jointly with CISA, has identified an APT Campaign against select government agencies and critical infrastructure targets using a highly sophisticated rootkit backdoor named Daxin.
Daxin malware is a rootkit backdoor that utilizes Command and Control functionality to not only infect devices with internet access but also devices with limited or no internet access. Using hijacked TCP connections, Daxin creates a Multi-Node communications channel that can span multiple networks and allow attackers to access machines deep in highly secure environments. Daxin can abuse any already running service on the device, so it does not create any new services. This, added to the hijacking of normal, already established TCP traffic, makes Daxin a stealthy tool for an attacker to transmit commands and exfiltrate data from deep within a network.
This attack methodology makes network segmentation more important than ever.
CASA’s report of the campaign can be found here: https://www.cisa.gov/uscert/ncas/current-activity/2022/02/28/broadcom-software-discloses-apt-actors-deploying-daxin-malware
Symantec’s blog post outlining the attack including known IOCs can be found here: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage
