CyberWire Daily - Attackers coming in from the Backdoor? [Research Saturday]
Episode Date: April 30, 2022Vikram Thakur of Symantec Threat Hunter team joins Dave Bittner to discuss their work on Daxin, a new and the most advanced piece of malware researchers have seen from China-linked actors. Symantec sa...id " There is strong evidence to suggest the malware, Backdoor.Daxin, which allows the attacker to perform various communications and data-gathering operations on the infected computer, has been used as recently as November 2021 by attackers linked to China." They go on to explain how Daxin is used to target organizations and governments of strategic interest to China and how those agencies can protect themselves. Symantec also discusses how this is the most advanced piece of malware their researchers have seen. The research can be found here: Daxin: Stealthy Backdoor Designed for Attacks Against Hardened Networks Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Hello everyone and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts
tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
Well, we stumbled across DAXN during a completely different investigation into malware.
When we did, we dug into it, we uncovered a lot, lot, lot more.
That's Vikram Thakkar. He's a technical director with Symantec's Threat Hunter team.
The research we're discussing today is titled Daxin,
stealthy backdoor designed for attacks against hardened networks. And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security. Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management with AI-powered automation,
and detecting threats using AI Thank you. Well, let's walk through the story together. I mean, you all are out there doing, as you say, some other work, and you happen upon this.
What happened next?
So the first thing we did was to take a look at the suspicious activity that was happening
on a computer.
Now think of this as your computer doing everything that you intended to do and then some.
So we looked at the component that was causing this little extra bit of communication.
And so when we looked into it,
at first sight, it was extremely difficult
to even understand what it's doing
because as different pieces of malware
or viruses or worms, they go about,
this piece of malware was designed in a way
where it was extremely obfuscated.
So it's as though the author of this malware took extreme measures to ensure that any researcher, or even when this malware was in the hands of somebody else, they wouldn't be able to understand what it was truly meant to do.
wouldn't be able to understand what it was truly meant to do. So it took us a long time to be able to what we call analyze, which essentially means that we take a file and then we tear it apart and
then try to understand what it was truly meant to do and what features or what capabilities it has.
And that took us, in this particular case, more than a few weeks. Let's leave it at that.
in this particular case more than a few weeks.
Let's leave it at that.
Now, was it the file that you discovered first or was it the activity?
Which led to which?
So we discovered the activity first
and then when we looked a little closer
to understand where the activity
was being orchestrated from,
and this usually is one file
or a set of files on somebody's computer.
In this particular instance, we stumbled across one specific file, which was playing that role
of generating this extra activity on that computer.
And what did that activity look like?
So before I get into what this activity looks like, I'll give a little bit of a background.
What normally happens is whenever a foreign or a unauthorized piece of a file or a executable or
an application gets onto somebody's computer, it tends to be a little noisy. So it opens up
the computer to more things. It starts looking for files on your computer. It might look for
credit cards stored on different computers. So there's a bit of, think of it as noise,
which is being generated in the computer world. Daxon, or what we noticed in this particular case
was while they're suspicious activity, Daxon was trying to hide every single thing that it was doing under the umbrella of some existing legitimate
application within the computer. So if somebody just looked at the computer with an untrained eye,
they would not be able to even spot Daxon's existence because everything would be looking
normal. Like, hey, there's communication happening through Chrome or Internet Explorer or Edge or Slack or something. And nobody would be able to see that,
hey, there is something happening in addition to what these legitimate applications are doing.
So in our particular case, we were able to spot it because, well, we've been in the business for a little while. And that is where we noticed that Daxon was trying to add its behavior under the umbrella of an existing application or legitimate application within the Windows environment.
And how was it doing that? What was it trying to piggyback onto?
So that's really interesting. So while we were able to see that there was some activity going on,
we were not able to so-called capture it
so that we can look at it later.
What we eventually landed up with
is we just had this one file,
which we today call Daxon.
And our aim at that point
was to understand
what is Daxon's capabilities?
Because we'd already seen that it was to understand what is Daxon's capabilities because we'd already seen that
it was doing some stuff but we did not capture it or we weren't able to contain it so we weren't
able to look at that in the lab by ourselves and from a capability standpoint what we noticed was
Daxon as a piece of malware was designed with one and only one sole intention, which is
stay under the radar of any security software, stay under the radar of anybody ever noticing
and do whatever it needs to do under the guise of an existing application so that nobody ever notices that it even exists. So that was the ulterior motive. And it was pretty apparent in our subsequent findings, which is when we look at DAXN, DAXN has been coded in a manner where it remains extremely stealth so that it can be used in extremely long cyber campaigns against entities.
So when I say long, I'm talking months, if not years long.
That just means that Daxon was intended to be deployed against targets or cyber targets where it could be deployed and then
it could be used for espionage purposes over an extremely long period of time rather than
just steal some information across a couple of days or a week.
And so what is the spectrum of functionality that it had?
What sort of capabilities were there?
So as an example, Daxin plays what we call man in
the middle. So it essentially means that if your computer has any degree of communication which is
happening with some legitimate service, so think of it as people opening up their browsers and going over to a mail portal and logging in.
So at that stage, their computer is talking to a computer owned by another entity,
whether it's Google, Microsoft, somebody else out there.
Daxon has the ability to intercept every single piece of that communication
going out of your computer and coming back into your computer.
of that communication going out of your computer and coming back into your computer.
So Daxon is examining every single packet which is going out and in, examining it,
looking at it and saying, and making a determination of whether it is of any value to Daxon's operators. And if it is, then it's taking action or it would do things like,
operators and if it is then it's taking action uh or it would do things like um hey i'm just going to send this email over to my masters or hey i'm just going to steal these uh this little
piece of information send it over to my master so so that is one capability of daxin and that's
that's one of its primary ones there are a few others just like this, which were meant to be able to hijack networks
where not every computer within the network communicates with the internet.
So it has that ability also.
And as you mentioned, it's very careful in what it does.
So am I correct that when it reaches out to its commanders, if you will,
that it's doing so in a very stealthy way? It is. So I took the example of somebody using
a web browser and going over to a web mail portal. So let's take, for example, that somewhere in
there, Daxon comes across a piece of information that it needs to send over to its masters.
there, Daxon comes across a piece of information that it needs to send over to its masters,
it would do it using the existing same channels. It would send that information out from the person's computer under the umbrella of using the web browser. So to the untrained eye, it would
look like the web browser is just sending some information or some packets over to some server, whether it's in Norway or Sweden or China or Germany, it doesn't really matter.
And so when it does it using the exact same protocol, the same technique as a web browser
would normally use, the chances of somebody noticing that, hey, some information has gone
to the wrong commander or the wrong server, is extremely low.
And that's what Daxon makes use of.
Do you have any guesses as to how the computer
initially got infected here?
So we looked at a few dozen cases over the past decade,
and there is no one way that the attackers
were able to get onto the computers.
In some cases, they were able to leverage weaknesses
in, let's say, exchange servers.
And just because it's public information
and the security vulnerabilities are public information,
these computers were not patched
to the latest and greatest available versions.
The attackers just made use of the existing public knowledge
to be able to get Daxon onto these computers.
Now, we know that is not the only way that they got on,
but there's no single way.
They pretty much used anything at their disposal
and customized it to different environments and then got on.
And Daxon has some history here.
I mean, yours was not the first discovery of it.
So we discovered Daxon as the first people to discover it.
But there is some history, like you pointed out.
when we started looking at Daxon, we obviously looked around to see if any of the other security vendors or researchers out there had mentioned anything of this sort. And the answer came back
as no. And so nobody had. But we have an ability to go back and retroactively look at events that
have come across our radar in the past to see if Daxin has been around.
And so we go back and we can see that, okay, well, for the last five years, every year,
we see about two or three victims or at least targets, but it stops out there.
So we expanded our search by saying, okay, instead of just looking for Daxin, can we
look for parts of Daxon?
Can we find parts of code that may have existed prior to that five-year mark?
And it did.
It actually goes back all the way to 2009.
across a blog that Microsoft had posted back in 2012, just 10 years ago, about a piece of malware that they called X4L. That was just a completely different name. And when we compared X4L to Daxon,
we realized that X4L was a previous incarnation of what we were looking at as Daxon. So that's how, you know, we made that connection.
Now, X4L, there was a blog written about it by Microsoft,
but it doesn't exist as of today.
Like, I think they deleted it somewhere along the way
for reasons unknown.
Also, there is a mention of the word X4L
in a very tenuous manner related to the Shadow Brokers leaks.
But that goes another degree of separation, actually.
Well, in terms of who we might think is behind this, what was your thoughts there? Based on two or maybe three factors, we said with to find at least one primary author of Daxon.
And even though we don't make that person
or that entity's name public,
we are aware of this person's hand
in developing Daxon over the years.
So in terms of mitigation here,
how do you recommend organizations protect
themselves against this sort of thing? So it's extremely hard to be able to put a trained eye
upon every single computer out there. So in terms of mitigation, all I would advise large organizations
and especially organizations that have a role to play in geopolitics,
a role to play in government function,
to take stock of different files on their computer,
see if audit their PowerShell logs, audit ACLs or permission logs,
which keep track of whether a particular asset on a computer,
like think of it as a file, has been given permission to some unauthorized person. So generally, it would be a lot of
good hygiene, good auditing recommendations from our side. I can't say, hey, if you were to take these particular three steps,
you will be in the clear
because DAXN is clearly designed
to evade and fly under the radar
as far as it really can.
Yeah, I mean, it really seems to me
like this is one of those examples
where you really have to have
defense in depth, right?
I mean, when something is trying
to be as stealthy as this is
and seems to be effective at it, even in this case, it was a bit of luck that you all came across this
from the outset. I think you're right. I think, you know, we definitely just got a little lucky
and stumbled across it. But that's reflective of the fact that this has existed since 2009 and nobody's been able to
discover it since i mean it goes to show that you know the author and the operators were very
successful uh in both being able to use it as well as keep it away from any public mention or
discovery for an extremely long period of time. So that's why in our eyes,
we believe that Daxin was designed and used strictly for espionage purposes against
geopolitically sensitive or relevant organizations, rather than what we commonly see Chinese actors performing,
which is intellectual property theft.
So Daxson does none of that.
And all the targets that we've seen tiltate
have an extremely sensitive geopolitical stance.
Our thanks to Vikram Thakkar from Symantec's Threat Hunter team for joining us. The research is titled Daxin, Stealthy Back Door Designed for Attacks Against Hardened Networks.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire podcast
is proudly produced in Maryland
at the startup studios of DataTribe,
where they're co-building
the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is
Liz Ervin, Elliot Peltzman,
Trey Hester, Brandon Karpf,
Eliana White, Peru Prakash,
Justin Sebi, Tim Nodar,
Joe Kerrigan, Kirill Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Thanks for listening.
We'll see you back here next week.