Over the past several years, a threat actor with ties to China has been actively employing a sophisticated framework designed for adversary-in-the-middle (AitM) attacks. According to researchers from Cisco’s Talos, this framework is used to monitor gateways and deliver backdoors, highlighting its significant threat potential.
DKnife Framework and Its Components
The framework, known as DKnife, comprises seven Linux-based implants. These implants are engineered for deep packet inspection, traffic manipulation, and the distribution of malware. Active since at least 2019, the framework specifically targets users who speak Chinese, making it a focused tool in the digital attack arsenal.
DKnife interacts with backdoors like ShadowPad and DarkNimbus, adapting to a variety of devices including desktop computers, mobile phones, and IoT devices. DarkNimbus, also referred to as DarkNights, is associated with UPSEC, a Chinese firm previously linked to the APT group TheWizards, which operates the Spellbinder AitM framework.
Connections and Targeting Strategies
There are notable similarities between the operational methods of DKnife and Spellbinder, with the WizardNet backdoor being a common element distributed by DKnife. This suggests a potential shared development lineage or operational strategy between these frameworks. DKnife’s primary targets are Chinese platforms and applications, including email and messaging services, with its code referencing Chinese media websites.
Despite this targeted approach, Talos researchers caution that their findings are based on data from a single command-and-control (C&C) server. It is possible that other servers could target different regions, as indicated by the use of WizardNet in countries like the Philippines, Cambodia, and the UAE.
Capabilities and Implications of DKnife
DKnife is capable of extensive network traffic monitoring and manipulation, interacting directly with backdoors on compromised systems. It can update these backdoors, hijack DNS traffic, intercept Android application updates, and exfiltrate user activity to its C&C server. Moreover, it can disrupt traffic associated with antivirus and PC management tools, as well as intercept and monitor user network activity.
In addition, DKnife can steal credentials from a major Chinese email provider by intercepting encrypted connections to extract usernames and passwords. It also serves phishing pages to capture credentials for other services. Cisco’s high-confidence assessment attributes the operation of DKnife to China-based threat actors, based on the language and configuration files observed.
The implications of such advanced cyber threats are significant, underscoring the need for heightened vigilance and robust cybersecurity measures. As these threat actors continue to evolve, organizations must remain proactive in safeguarding their networks against such sophisticated attacks.
