CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Malware & Threats

‘DKnife’ Implant Used by Chinese Threat Actor for Adversary-in-the-Middle Attacks

Used since at least 2019, DKnife has been targeting the desktop, mobile, and IoT devices of Chinese users. The post ‘DKnife’ Implant Used by Chinese Threat Actor for Adversary-in-the-Middle Attacks appeared first on SecurityWeek.

Chinese hackers

For well over half a decade, a China-linked threat actor has been operating a gateway-monitoring and adversary-in-the-middle (AitM) framework to deliver and interact with backdoors, Cisco’s Talos researchers warn.

Dubbed DKnife, the framework consists of seven Linux-based implants designed for deep packet inspection, traffic manipulation, and malware delivery, and has been active since at least 2019.

The framework mainly targets Chinese-speaking users, delivering and interacting with backdoors such as ShadowPad and DarkNimbus on desktop, mobile, and IoT devices.

DarkNimbus, also known as DarkNights, is supplied by the Chinese firm UPSEC, which was previously associated with the Chinese APT TheWizards, the operator of the Spellbinder AitM framework.

According to Talos, there are overlaps between DKnife and Spellbinder TTPs, and the WizardNet backdoor has been distributed by DKnife, suggesting “a shared development or operational lineage”.

The same as Spellbinder, DKnife targets Chinese platforms and applications, including mail and messaging services. Its code also references Chinese media websites, Talos says.

However, the cybersecurity firm points out that its analysis is based on configuration files from a single command-and-control (C&C) server, and that other servers could be used to target different geographies (WizardNet was used in the Philippines, Cambodia, and the UAE as well).

DKnife was built to monitor and manipulate network traffic and to interact with backdoors running on victims’ systems. It can update the backdoors, hijack DNS traffic, hijack Android application updates and downloads, and exfiltrate user activity to the C&C.

It can also hijack Windows and other binary downloads, deploy the ShadowPad and DarkNimbus backdoors, intercept and disrupt traffic associated with antivirus and PC-management products, and monitor and report on the user’s network activity.

Additionally, it can steal credentials for a major Chinese email provider (by hijacking encrypted connections to extract plaintext usernames and passwords) and can serve phishing pages for other services.

“Based on the language used in the code, configuration files and the ShadowPad malware delivered in the campaign, we assess with high confidence that China-nexus threat actors operate this tool,” Cisco notes.

Related: Cisco Patches Vulnerability Exploited by Chinese Hackers

Related: Chinese APT Mustang Panda Caught Using Kernel-Mode Rootkit

Related: Chinese APT ‘LongNosedGoblin’ Targeting Asian Governments

Related: Google Sees 5 Chinese Groups Exploiting React2Shell for Malware Delivery

Latest News

CYBERNEWSMEDIAPublisher