{"id":2271,"date":"2022-03-08T00:07:44","date_gmt":"2022-03-08T07:07:44","guid":{"rendered":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/?p=2271"},"modified":"2022-03-08T00:07:48","modified_gmt":"2022-03-08T07:07:48","slug":"a-silent-malware-the-daxin","status":"publish","type":"post","link":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/2022\/03\/08\/a-silent-malware-the-daxin\/","title":{"rendered":"A Silent Malware: The Daxin"},"content":{"rendered":"\n

Every day that we are alive on this planet, humanity and the software continues to grow and evolve collectively, if not together. And everyday we are introduced to more and more vulnerabilities in both areas, from the unfortunate effects of Covid-19 to losing your computer data because all you wanted to see were some dancing pigs. Today, I will be sharing with you a new type of malware that has recently arisen in the news known as the Daxin Malware, a complex and undetectable virus that is able to take your information via a shared network.<\/p>\n\n\n\n

What is it? Why is it?<\/h3>\n\n\n\n

The Daxin Malware, or more formally Backdoor.Daxin, is a piece of malware that is able to enter your computer(s) as a backdoor<\/em> (A backdoor is a type of malware that negates normal authentication procedures to access a system<\/strong>, aka a form of a trojan virus<\/strong>) to allow the controller to insert whatever they would like into it. Not only that, it also has network tunneling abilities<\/em> (a protocol that allows for the movement of data from one network to another<\/strong>) and can even hijack Transmission Control Protocol\/Internet Protocol connections! It was created by china-linked actors, and is considered the most formidable and advanced piece of malware released by China thus far. Although its original purpose was to be used against the Chinese government or related members in its espionage campaign, its an incredibly complex sort of code and can do disastrous amounts of damage to any computer system in its path. It is optimized to hack into the targets network as quietly as possible to steal data and cause overall chaos<\/p>\n\n\n\n

TCP\/IP stands for Transmission Control Protocol\/Internet Protocol and is a suite of communication protocols used to interconnect network devices on the internet.<\/strong><\/p>https:\/\/www.techtarget.com\/searchnetworking\/definition\/TCP-IP<\/cite><\/blockquote>\n\n\n\n

Okay, but when was this discovered?<\/h4>\n\n\n\n

The Symantec Threat Hunter Team, the first to discover that this virus had been lurking around, deduced that this silent virus may have been used since 2013, its age showing how it infects its victims as a Windows kernel driver, which is more uncommon nowadays, only having minor tweaks before then up until November 2021, which is when its more recent attacks occurred. It was thought that one attack that used this virus was back in 2019, in which Daxin and another malware, known as OwlProxy, was found in the computer of a small tech company. They used OwlProxy as a last resort after attempting to deploy Daxin, but failing to miserably. In July of 2020, they used this virus as an attack on the Chinese military, making two unsuccessful attempts to eject a driver with suspicious content that was thought to be Daxin due to the nature of its prior attacks, though it remains unconfirmed. <\/p>\n\n\n\n

<\/p>\n\n\n\n

It was thought that before Daxin, the creators of this virus had been experimenting on something prior, called Backdoor.Zala, which had almost all the features of the Daxin, but was somewhat less advanced in quite a few aspects such as in its networking techniques. The two malwares, however, shared many common libraries, leading many to believe the two shared a codebase. <\/p>\n\n\n\n

<\/p>\n\n\n\n

That’s fine and all, now what does it REALLY do?<\/h4>\n\n\n\n

As previously mentioned, Daxin operates as a Windows kernel driver, and is designed to hop from infected system to infected system with a single external command, over one network of course, an astonishing advance in malware since normally most attackers get from node to node one command at a time. <\/p>\n\n\n\n

<\/p>\n\n\n\n

As previously stated, it hijacks TCIP\/IP sessions too, and does this by monitoring traffic and finding patterns only to disconnect the client straight after in order to take over the connection, and establish a secure peer-to-peer network over the hijacked network link so that the backdoor can receive communications from the command-and-control network. This method allows it to bypass any sort of firewall and minimizes all risk of being noticed by a security team, since its not opening any sort of new network services, and is instead abusing any real services already running on the infected computers.<\/p>\n\n\n\n

“It is designed to be used in long-term strategic attack campaigns. To achieve that, it does the second thing, which is to be as stealthy as possible: It does not open up any new ports; it does not speak with a command-and-control servers explicitly at any point at time.”<\/strong><\/p>Symantec’s Thakur<\/cite><\/blockquote>\n\n\n\n

<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Dangerous! Is there any cure?<\/h4>\n\n\n\n

At this moment, much is unknown about the virus, and the discovery team has not said much about it either. In another blog post<\/a>, it is mentioned how the attacks may originate from tools like PsExec, which was actually what they used to attack that small tech company mentioned earlier, instead of sending files in hopes that their victims will open them eventually.

Knowing this, they simply recommended to use good cyber security practices and to stay safe, although if you’re a member of the Chinese government, you’ll have to be more careful than most.

Everyday is a new danger, so make sure you stay safe and make certain your network is secure!<\/p>\n\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Every day that we are alive on this planet, humanity and the software continues to grow and evolve collectively, if not together. And everyday we are introduced to more and more vulnerabilities in both areas, from the unfortunate effects of Covid-19 to losing your computer data because all you wanted to see were some dancing … <\/p>\n

Continue reading “A Silent Malware: The Daxin”<\/span><\/a><\/p>\n","protected":false},"author":294,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[15],"tags":[],"class_list":["post-2271","post","type-post","status-publish","format-standard","hentry","category-cpsc-329-602-w22","entry"],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"ishrat","author_link":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/author\/ishrat-naba\/"},"_links":{"self":[{"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/posts\/2271","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/users\/294"}],"replies":[{"embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/comments?post=2271"}],"version-history":[{"count":5,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/posts\/2271\/revisions"}],"predecessor-version":[{"id":2399,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/posts\/2271\/revisions\/2399"}],"wp:attachment":[{"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/media?parent=2271"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/categories?post=2271"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/tags?post=2271"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}