Kernel Level Rat "Daxin" Discovered

Read Time:1 Minute, 42 Second

FortiGuard Labs is aware of a newly discovered backdoor dubbed Daxin. Discovered by Symantec, this backdoor allows an attacker to gather and perform various command and control actions and data exfiltration on victim machines. Because of our partnership with the Cyber Threat Alliance, we were provided with IOCs to create Fortinet protections in advance so that it would be ready for today’s announcement.What separates this backdoor from many others is that Daxin is a Windows kernel level driver, also referred to as rootkits. Kernel level rootkits operate at ring 0, which allows them to operate at
the highest privileges of the operating system with impunity. What makes this threat dangerous and very effective is that it is able to leverage existing services and utilize them to perform whatever is needed without raising any suspicion by network administrators and or endpoint security software. Daxin does not contain any unique capabilities from other backdoors; however, besides its ability to run at kernel level, Daxin can also intercept TCP/IP connections in real time for further evasion. Further communications noted were the use of a custom TCP/IP stack to communicate in multiple nodes on highly secured networks.This backdoor has been attributed to state sponsored threat actors of China where targets are organizations that are of interest to the Chinese government.What Operating Systems Were Targeted?Windows operating systems.What is the Likelihood of Exploitation?Low. This is due to the attacks observed being focused on the specific interests by the threat actors behind Daxin, and not as part of a widespread attack.Is this Limited to Targeted Attacks?Yes, all attacks observed were limited to state sponsored targets. This included governmental organizations of interest, telecommunications, transportation, and manufacturing sectors as well.What is the Status of Coverage?Customers running the latest AV definitions are protected by the following signatures:W32/Agent.FF56!tr.bdrW32/Backdoor.DAXIN!trW32/PossibleThreatW64/Agent.FF56!tr.bdrW64/Backdoor.DAXIN!trW64/Agent.QWHWSZ!trMalicious_Behavior.SBW32/Exforel.B!tr.bdrDx.BG3D!trW64/Agent.WT!trW32/PossibleThreat

European Journalists Targeted by Paragon Spyware, Citizen Lab Confirms

Paragon Spyware used to Spy on European Journalists

Ransomware Gang Exploits SimpleHelp RMM to Compromise Utility Billing Firm

Microsoft 365 Copilot: New Zero-Click AI Vulnerability Allows Corporate Data Theft

South African man imprisoned after ransom demand against his former employer

Inside a Dark Adtech Empire Fed by Fake CAPTCHAs

Airlines Secretly Selling Passenger Data to the Government

Sweden says it is under cyber attack

Cybersecurity Warrior-Leaders: Self and Team Care

Kernel Level Rat “Daxin” Discovered

apache-commons-beanutils-1.9.4-39.fc41

apache-commons-beanutils-1.9.4-39.fc42

USN-7550-7: Linux kernel (NVIDIA Tegra IGX) vulnerabilities

chromium-137.0.7151.103-1.el10_1

chromium-137.0.7151.103-1.el9

mediawiki-1.43.1-1.fc42