Rewterz Threat Alert – Daxin Malware – Active IOCs

Severity

High

Analysis Summary

A new malware called Daxin has been identified by security researchers. It is a backdoor that allows the attacker to read and write arbitrary files on the infected system along with other operations. Starting and interacting with arbitrary processes is also a capability the malware possesses. Daxin’s stealth and communication capabilities make it a valuable asset for attackers. Daxin is capable of communicating by hijacking legitimate TCP/IP connections. Incoming TCP traffic and connections are monitored by Daxin to do this communication. Whenever communication patterns are detected, Daxin takes over the connection by disconnecting the user.  It then performs a custom key exchange with the remote peer, where two sides follow complementary steps. Receiving commands and sending responses is then enabled after a successful key exchange that opens an encrypted communication channel. Daxin’s use of hijacked TCP connections helps to establish connectivity on networks with strict firewall rules and affords a high degree of stealth to its communications. SOC analysts monitoring for network anomalies may also have a hard time detecting it.

Impact

• Code Execution
• Data Exfiltration

Indicators of Compromise

MD5

• b0770094c3c64250167b55e4db850c04
• 46a9627fea9e34bea545aac6a991ff56
• 3f408d4d9c27b174d67c6154f8063092
• 62c18d61ed324088f963510bae43b831
• a6e9d6505f6d2326a8a9214667c61c67
• 1cd158a64f3d886357535382a6fdad75
• 8636fe3724f2bcba9399daffd6ef3c7e
• 79df0eabbf2895e4e2dae15a4772868c
• 47e6ac52431ca47da17248d80bf71389
• 6d131a7462e568213b44ef69156f10a5
• 4b058945c9f2b8d8ebc485add1101ba5
• bd5b0514f3b40f139d8079138d01b5f6
• 491aec2249ad8e2020f9f9b559ab68a8
• 14580bd59c55185115fd3abe73b016a2
• f242cffd9926c0ccf94af3bf16b6e527
• 50b39072d0ee9af5ef4824eca34be6e3
• 0ae30291c6cbfa7be39320badd6e8de0

SHA-256

• 06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4
• 0f82947b2429063734c46c34fb03b4fa31050e49c27af15283d335ea22fe0555
• 3e7724cb963ad5872af9cfb93d01abf7cd9b07f47773360ad0501592848992f4
• 49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530
• 5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae
• 5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a
• 6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f
• 8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce
• b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427
• b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3
• e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e
• 7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376
• 8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e
• 96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc
• 9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51
• c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c
• e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217

SHA-1

• 6abbc3003c7aa69ce79cbbcd2e3210b07f21d202
• a53e46a5d401e8a87fe1520e75ebcbe69ea6e6d1
• dd6fcbe0e3c6997e3358788c156dc937c72af8a0
• 8302802b709ad242a81b939b6c90b3230e1a1f1e
• cb3f30809b05cf02bc29d4a7796fb0650271e542
• a48aa80942fc8e0699f518de4fd6512e341d4196
• 3b6b35bca1b05fafbfc883a844df6d52af44ccdc
• d02403f85be6f243054395a873b41ef8a17ea279
• d417c0be261b0c6f44afdec3d5432100e420c3ed
• 25bf4e30a94df9b8f8ab900d1a43fd056d285c9d
• 37e6450c7cd6999d080da94b867ba23faa8c32fe
• 73bac306292b4e9107147db94d0d836fdb071e33
• 8692274681e8d10c26ddf2b993f31974b04f5bf0
• 71469dce9c2f38d0e0243a289f915131bf6dd2a8
• 53f776d9a183c42b93960b270dddeafba74eb3fb
• 064de88dbbea67c149e779aac05228e5405985c7
• c257aa4094539719a3c7b7950598ef872dbf9518

Remediation

• Block the threat indicators at their respective controls.
• Search for IOCs in your environment.