top of page
  • Stefan Prandl

Stealthy Chinese Backdoors in YOUR area

Updated: Mar 28, 2022

New malware has popped up on the cyber radar. ZDNet reports that this time it’s a backdoor called Daxin from a China affiliated hacking group that has been appearing in attacks on critical infrastructure attacks from across the world. What’s neat about this backdoor is that it’s designed to resist detection by traditional security systems. It cleverly embeds itself in the Windows Kernel as a driver (that they’ve managed to get signed somehow, so it seems completely legit), and uses a rather unique method to communicate.

Daxin hijacks legitimate protocols to do its communication. Say your computer has Daxin, and you don’t know because it’s hidden away as a driver. Whenever you connect to a website, the Daxin program injects fingerprints into your sessions, basically coding your web activity to be coming from a Daxin victim. This coding is almost undetectable to monitoring software (as it both looks and acts like legitimate web application cookies), however, if you connect to a Daxin infected server, it immediately knows your computer is on the side (so to speak). Once two Daxin machines have connected via some communication, they hijack the communication channel to perform their clandestine command and control. That means that in so far as traditional network monitoring solutions and firewalls are concerned, all of the C2 traffic appears to just be part of the legitimate user-initiated communication.

This is an extremely hard to detect backdoor, however as Firebug uses statistics and not deep packet inspection, it can determine that even though your HTTPS session was user-initiated, it doesn’t look like a HTTPS session (because Daxin has hijacked it). Firebug would be an invaluable tool to hunting down Daxin victims inside a compromised network.

9 views0 comments
bottom of page