Kernel Level Rat "Daxin" Discovered

Read Time:1 Minute, 42 Second

FortiGuard Labs is aware of a newly discovered backdoor dubbed Daxin. Discovered by Symantec, this backdoor allows an attacker to gather and perform various command and control actions and data exfiltration on victim machines. Because of our partnership with the Cyber Threat Alliance, we were provided with IOCs to create Fortinet protections in advance so that it would be ready for today’s announcement.What separates this backdoor from many others is that Daxin is a Windows kernel level driver, also referred to as rootkits. Kernel level rootkits operate at ring 0, which allows them to operate at
the highest privileges of the operating system with impunity. What makes this threat dangerous and very effective is that it is able to leverage existing services and utilize them to perform whatever is needed without raising any suspicion by network administrators and or endpoint security software. Daxin does not contain any unique capabilities from other backdoors; however, besides its ability to run at kernel level, Daxin can also intercept TCP/IP connections in real time for further evasion. Further communications noted were the use of a custom TCP/IP stack to communicate in multiple nodes on highly secured networks.This backdoor has been attributed to state sponsored threat actors of China where targets are organizations that are of interest to the Chinese government.What Operating Systems Were Targeted?Windows operating systems.What is the Likelihood of Exploitation?Low. This is due to the attacks observed being focused on the specific interests by the threat actors behind Daxin, and not as part of a widespread attack.Is this Limited to Targeted Attacks?Yes, all attacks observed were limited to state sponsored targets. This included governmental organizations of interest, telecommunications, transportation, and manufacturing sectors as well.What is the Status of Coverage?Customers running the latest AV definitions are protected by the following signatures:W32/Agent.FF56!tr.bdrW32/Backdoor.DAXIN!trW32/PossibleThreatW64/Agent.FF56!tr.bdrW64/Backdoor.DAXIN!trW64/Agent.QWHWSZ!trMalicious_Behavior.SBW32/Exforel.B!tr.bdrDx.BG3D!trW64/Agent.WT!trW32/PossibleThreat

Cyber Security News

ConnectWise Fixes XSS Vulnerability that Could Lead to Remote Code Execution

Google Releases Chrome Patch to Fix New Zero-Day Vulnerability

Remote Code Execution Vulnerability Found in Windows Internet Key Exchange

What is Antivirus and What Does It Really Protect?

Cybercriminals are increasingly using info-stealing malware to target victims

Experts Warn Remote Workers of Black Friday Security Threats

Experts Find 1600+ Malicious Docker Hub Images

Top cybersecurity M&A deals for 2022

Global Police Celebrate $130m Cyber Busts

Kernel Level Rat “Daxin” Discovered

A Vulnerability in Google Chrome Could Allow for Arbitrary Code Execution

wireshark-4.0.1-1.fc37

firefox-107.0-4.fc35

ZDI-CAN-19046: Cacti

qpress-20220819-3.el8

qpress-20220819-1.el9