Threat Signal Report

Kernel Level Rat "Daxin" Discovered

description-logo Description

FortiGuard Labs is aware of a newly discovered backdoor dubbed Daxin. Discovered by Symantec, this backdoor allows an attacker to gather and perform various command and control actions and data exfiltration on victim machines.


Because of our partnership with the Cyber Threat Alliance, we were provided with IOCs to create Fortinet protections in advance so that it would be ready for today's announcement.


What separates this backdoor from many others is that Daxin is a Windows kernel level driver, also referred to as rootkits. Kernel level rootkits operate at ring 0, which allows them to operate at the highest privileges of the operating system with impunity. What makes this threat dangerous and very effective is that it is able to leverage existing services and utilize them to perform whatever is needed without raising any suspicion by network administrators and or endpoint security software.


Daxin does not contain any unique capabilities from other backdoors; however, besides its ability to run at kernel level, Daxin can also intercept TCP/IP connections in real time for further evasion. Further communications noted were the use of a custom TCP/IP stack to communicate in multiple nodes on highly secured networks.


This backdoor has been attributed to state sponsored threat actors of China where targets are organizations that are of interest to the Chinese government.


What Operating Systems Were Targeted?

Windows operating systems.


What is the Likelihood of Exploitation?

Low. This is due to the attacks observed being focused on the specific interests by the threat actors behind Daxin, and not as part of a widespread attack.


Is this Limited to Targeted Attacks?

Yes, all attacks observed were limited to state sponsored targets. This included governmental organizations of interest, telecommunications, transportation, and manufacturing sectors as well.


What is the Status of Coverage?

Customers running the latest AV definitions are protected by the following signatures:


W32/Agent.FF56!tr.bdr

W32/Backdoor.DAXIN!tr

W32/PossibleThreat

W64/Agent.FF56!tr.bdr

W64/Backdoor.DAXIN!tr

W64/Agent.QWHWSZ!tr

Malicious_Behavior.SB

W32/Exforel.B!tr.bdr

Dx.BG3D!tr

W64/Agent.WT!tr

W32/PossibleThreat


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.