Cybersecurity experts have recently unveiled a sophisticated adversary-in-the-middle (AitM) framework known as DKnife, which has been used by China-linked threat actors since at least 2019. This framework, primarily targeting Chinese-speaking users, employs seven Linux-based implants for deep packet inspection, traffic manipulation, and malware distribution through routers and edge devices.
Unveiling the DKnife Framework
The DKnife framework is engineered to exploit a variety of devices, including PCs, mobile devices, and Internet of Things (IoT) devices. Cisco Talos researcher Ashley Shen reports that DKnife facilitates the distribution of ShadowPad and DarkNimbus backdoors by intercepting binary downloads and Android application updates. This discovery arose from ongoing surveillance of another Chinese threat group named Earth Minotaur.
Further analysis of DKnife’s infrastructure has exposed an IP address associated with WizardNet, a Windows implant deployed by TheWizards, another China-aligned advanced persistent threat (APT) group. The connection suggests possible shared strategies across different threat actors targeting regions such as Cambodia, Hong Kong, Mainland China, the Philippines, and the United Arab Emirates.
Components and Capabilities of DKnife
Unlike WizardNet, DKnife operates on Linux-based systems and is structured to execute numerous functions, from packet analysis to traffic manipulation. Delivered via an ELF downloader, DKnife comprises seven distinct components: dknife.bin, postapi.bin, sslmm.bin, mmdown.bin, yitiji.bin, remote.bin, and dkupdate.bin. These components collaborate to conduct deep packet inspection, report user activities, hijack DNS, and maintain the functioning of the framework.
One of DKnife’s standout capabilities is its ability to harvest credentials from a major Chinese email provider. The sslmm.bin module, a reverse proxy, conducts TLS termination, decrypts emails, and reroutes URLs, extracting usernames and passwords for later relay to command-and-control (C2) servers. This highlights DKnife’s extensive reach and adaptability in executing cyber attacks.
Implications and Future Threats
The primary component, dknife.bin, is pivotal for deep packet inspection, enabling operators to conduct covert monitoring and active in-line attacks. This includes DNS-based hijacking and manipulation of Android app updates related to Chinese services, replacing legitimate downloads with malicious payloads. By interfering with antivirus and PC-management software, DKnife further extends its influence over compromised systems.
As threat actors increasingly target routers and edge devices, understanding the tools and techniques they employ is paramount. The discovery of the DKnife framework underscores the advanced nature of contemporary AitM threats, which combine deep packet inspection, traffic manipulation, and tailored malware distribution across multiple device types. This development necessitates heightened vigilance and robust cybersecurity measures to protect against such sophisticated attacks.
