Daxin comes in the form of a Windows kernel driver, a relatively rare format for malware nowadays.
It implements advanced communications functionality, which both provides a high degree of stealth and permits the attackers to communicate with infected computers on highly secured networks, where direct internet connectivity is not available.
These features are reminiscent of Regin, an advanced espionage tool discovered by Symantec in 2014 that others have linked to Western intelligence services.
Daxin’s capabilities suggest the attackers invested significant effort into developing communication techniques that can blend in unseen with normal network traffic on the target’s network.Specifically, the malware avoids starting its own network services.
Instead, it can abuse any legitimate services already running on the infected computers.
Daxin is also capable of relaying its communications across a network of infected computers within the attacked organization.
The attackers can select an arbitrary path across infected computers and send a single command that instructs these computers to establish requested connectivity.
This use case has been optimized by Daxin’s designers.
Daxin also features network tunneling, allowing attackers to communicate with legitimate services on the victim’s network that can be reached from any infected computer.