"Cybersecurity researchers have taken the wraps off a gateway-monitoring and adversary-in-the-middle (AitM) framework dubbed DKnife that's operated by China-nexus threat actors since at least 2019. The framework comprises seven Linux-based implants that are designed to perform deep packet inspection, manipulate traffic, and deliver malware via routers and edge devices. Its primary targets seem to be Chinese-speaking users, an assessment based on the presence of credential harvesting phishing pages for Chinese email services, exfiltration modules for popular Chinese mobile applications like WeChat,"
"The cybersecurity company said it discovered DKnife as part of its ongoing monitoring of another Chinese threat activity cluster codenamed Earth Minotaur that's linked to tools like the MOONSHINE exploit kit and the DarkNimbus (aka DarkNights) backdoor. Interestingly, the backdoor has also been put to use by a third China-aligned advanced persistent threat (APT) group called TheWizards. An analysis of DKnife's infrastructure has uncovered an IP address hosting WizardNet, a Windows implant deployed by TheWizards via an AitM framework referred to as Spellbinder."
DKnife has been operated by China-nexus threat actors since at least 2019. The framework comprises seven Linux-based implants designed to perform deep packet inspection, manipulate traffic, and deliver malware via routers and edge devices. Primary targets are Chinese-speaking users, evidenced by credential-harvesting phishing pages for Chinese email services, exfiltration modules for popular Chinese mobile applications such as WeChat, and code references to Chinese media domains. DKnife delivers and interacts with ShadowPad and DarkNimbus backdoors by hijacking binary downloads and Android application updates. Infrastructure links connect DKnife to the Earth Minotaur cluster, MOONSHINE, TheWizards, WizardNet, and the Spellbinder AitM framework. Configuration files from a single C2 server indicate regional targeting and suggest other servers may host different configurations.
#dknife #adversary-in-the-middle #deep-packet-inspection #chinese-speaking-targets #shadowpaddarknimbus
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]