One Article Review
| Source |  Fortinet ThreatSignal |
|---|---|
| Identifiant | 4209564 |
| Date de publication | 2022-03-01 09:15:01 (vue: 2022-03-01 19:05:26) |
| Titre | Kernel Level Rat "Daxin" Discovered |
| Texte | FortiGuard Labs is aware of a newly discovered backdoor dubbed Daxin. Discovered by Symantec, this backdoor allows an attacker to gather and perform various command and control actions and data exfiltration on victim machines. Because of our partnership with the Cyber Threat Alliance, we were provided with IOCs to create Fortinet protections in advance so that it would be ready for today's announcement.What separates this backdoor from many others is that Daxin is a Windows kernel level driver, also referred to as rootkits. Kernel level rootkits operate at ring 0, which allows them to operate at the highest privileges of the operating system with impunity. What makes this threat dangerous and very effective is that it is able to leverage existing services and utilize them to perform whatever is needed without raising any suspicion by network administrators and or endpoint security software. Daxin does not contain any unique capabilities from other backdoors; however, besides its ability to run at kernel level, Daxin can also intercept TCP/IP connections in real time for further evasion. Further communications noted were the use of a custom TCP/IP stack to communicate in multiple nodes on highly secured networks.This backdoor has been attributed to state sponsored threat actors of China where targets are organizations that are of interest to the Chinese government.What Operating Systems Were Targeted?Windows operating systems.What is the Likelihood of Exploitation?Low. This is due to the attacks observed being focused on the specific interests by the threat actors behind Daxin, and not as part of a widespread attack.Is this Limited to Targeted Attacks?Yes, all attacks observed were limited to state sponsored targets. This included governmental organizations of interest, telecommunications, transportation, and manufacturing sectors as well.What is the Status of Coverage?Customers running the latest AV definitions are protected by the following signatures:W32/Agent.FF56!tr.bdrW32/Backdoor.DAXIN!trW32/PossibleThreatW64/Agent.FF56!tr.bdrW64/Backdoor.DAXIN!trW64/Agent.QWHWSZ!trMalicious_Behavior.SBW32/Exforel.B!tr.bdrDx.BG3D!trW64/Agent.WT!trW32/PossibleThreat |
| Notes | |
| Envoyé | Oui |
| Condensat | ability able actions actors administrators advance all alliance allows also announcement any are attack attacker attacks attributed aware backdoor backdoors; bdrdx bdrw32/backdoor bdrw64/backdoor because been behavior behind being besides bg3d can capabilities china chinese command communicate communications connections contain control coverage create custom customers cyber dangerous data daxin definitions discovered does driver dubbed due effective endpoint evasion exfiltration existing exploitation ff56 focused following fortiguard fortinet from further gather government governmental has highest highly however impunity included intercept interest interests iocs its kernel labs latest level leverage likelihood limited low machines makes manufacturing many multiple needed network networks newly nodes not noted observed operate operating organizations other others part partnership perform privileges protected protections provided qwhwsz raising rat ready real referred ring rootkits run running sbw32/exforel sectors secured security separates services signatures:w32/agent software specific sponsored stack state status suspicion symantec system systems targeted targets tcp/ip telecommunications them threat time today transportation trmalicious trw32/possiblethreat trw32/possiblethreatw64/agent trw64/agent unique use utilize various very victim well what whatever where which widespread windows without would |
| Tags | Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.