For well over half a decade, a China-linked threat actor has been operating a gateway-monitoring and adversary-in-the-middle (AitM) framework to deliver and interact with backdoors, Cisco’s Talos researchers warn.
Dubbed DKnife, the framework consists of seven Linux-based implants designed for deep packet inspection, traffic manipulation, and malware delivery, and has been active since at least 2019.
The framework mainly targets Chinese-speaking users, delivering and interacting with backdoors such as ShadowPad and DarkNimbus on desktop, mobile, and IoT devices.
DarkNimbus, also known as DarkNights, is supplied by the Chinese firm UPSEC, which was previously associated with the Chinese APT TheWizards, the operator of the Spellbinder AitM framework.
According to Talos, there are overlaps between DKnife and Spellbinder TTPs, and the WizardNet backdoor has been distributed by DKnife, suggesting “a shared development or operational lineage”.
The same as Spellbinder, DKnife targets Chinese platforms and applications, including mail and messaging services. Its code also references Chinese media websites, Talos says.
However, the cybersecurity firm points out that its analysis is based on configuration files from a single command-and-control (C&C) server, and that other servers could be used to target different geographies (WizardNet was used in the Philippines, Cambodia, and the UAE as well).
DKnife was built to monitor and manipulate network traffic and to interact with backdoors running on victims’ systems. It can update the backdoors, hijack DNS traffic, hijack Android application updates and downloads, and exfiltrate user activity to the C&C.
It can also hijack Windows and other binary downloads, deploy the ShadowPad and DarkNimbus backdoors, intercept and disrupt traffic associated with antivirus and PC-management products, and monitor and report on the user’s network activity.
Additionally, it can steal credentials for a major Chinese email provider (by hijacking encrypted connections to extract plaintext usernames and passwords) and can serve phishing pages for other services.
“Based on the language used in the code, configuration files and the ShadowPad malware delivered in the campaign, we assess with high confidence that China-nexus threat actors operate this tool,” Cisco notes.
Related: Cisco Patches Vulnerability Exploited by Chinese Hackers
Related: Chinese APT Mustang Panda Caught Using Kernel-Mode Rootkit
Related: Chinese APT ‘LongNosedGoblin’ Targeting Asian Governments
Related: Google Sees 5 Chinese Groups Exploiting React2Shell for Malware Delivery
