Daixin Ransomware | |
Other Names | Daixin Team |
Date of Initial Activity | 2022 |
Location | Unknown |
Suspected Attribution | Ransomware Group |
Motivation | Data Theft |
Software | Windows |
Overview
Common targets
Health Care and Social Assistance
Transportation and Warehousing – United States
Malaysia
Attack Vectors
Software Vulnerabilities
Remote Desktop Protocol (RDP)
How they operate
Initial access is a cornerstone of Daixin’s strategy. The group predominantly targets virtual private network (VPN) servers, exploiting misconfigurations and vulnerabilities to penetrate enterprise defenses. In cases where software flaws are unavailable, they turn to phishing campaigns aimed at extracting login credentials from unsuspecting employees. By compromising VPN access points, Daixin bypasses perimeter defenses and establishes a foothold in the victim’s environment, from which they stage their multi-pronged attack.
Once inside the network, Daixin focuses on reconnaissance and lateral movement. The group conducts a thorough exploration of the compromised environment, using advanced tools to harvest credentials and map the internal network. Stolen credentials often facilitate lateral movement via Secure Shell (SSH) and Remote Desktop Protocol (RDP), enabling Daixin to navigate through critical systems. Their choice of utilities, including Rclone for cloud storage management and Ngrok for establishing reverse proxies, underscores their technical acumen in securely exfiltrating data while avoiding detection.
Data encryption and exfiltration represent the final stages of Daixin’s attack lifecycle. Leveraging a ransomware module based on the Babuk Locker strain, they encrypt files using ChaCha8 algorithms, rendering them inaccessible to victims. For larger files, Daixin employs segmented encryption techniques to optimize performance while ensuring file integrity is irreversibly compromised. They also target VMware ESXi servers, resetting administrative credentials and encrypting virtual machine files, further crippling victim operations. Stolen data is then used as leverage in double-extortion schemes, where organizations are pressured to pay ransom demands under the threat of public exposure.
The Daixin ransomware group exemplifies the evolving complexity of modern ransomware campaigns. Their blend of technical sophistication and psychological manipulation poses significant challenges to organizations and cybersecurity teams. By understanding their operational methods, enterprises can better prepare to defend against this persistent threat, emphasizing proactive measures such as patch management, credential security, and network segmentation.
MITRE Tactics and Techniques
1. Initial Access
Technique: Exploit Public-Facing Application (T1190)
Daixin Team exploits vulnerabilities in virtual private network (VPN) servers to gain initial access to target networks.
Technique: Phishing (T1566)
They use phishing campaigns to harvest VPN credentials from employees of targeted organizations.
2. Execution
Technique: Command and Scripting Interpreter (T1059)
The group uses scripts and commands for deploying ransomware and lateral movement.
3. Persistence
Technique: Valid Accounts (T1078)
Stolen credentials allow Daixin Team to maintain access to compromised networks.
4. Privilege Escalation
Technique: Valid Accounts (T1078)
Leveraging stolen credentials with elevated privileges for further actions within the network.
5. Defense Evasion
Technique: Obfuscated Files or Information (T1027)
The group employs obfuscation techniques to bypass detection mechanisms.
Technique: Indicator Removal on Host (T1070)
They delete logs or other traces of their activities to avoid detection.
6. Credential Access
Technique: Credential Dumping (T1003)
Daixin extracts credentials stored within systems to facilitate lateral movement.
7. Discovery
Technique: System Network Configuration Discovery (T1016)
Conducts reconnaissance to map out the target network and identify key systems.
Technique: Remote System Discovery (T1018)
Identifies accessible systems for lateral movement.
8. Lateral Movement
Technique: Remote Services (T1021)
Uses protocols like SSH and RDP for lateral movement within the network.
9. Collection
Technique: Data from Information Repositories (T1213)
Targets databases and shared drives containing sensitive information.
10. Exfiltration
Technique: Exfiltration Over Alternative Protocol (T1048)
Utilizes tools like Rclone and Ngrok to transfer stolen data to external servers.
11. Impact
Technique: Data Encrypted for Impact (T1486)
Deploys ransomware to encrypt critical files and systems, including VMware ESXi servers.
Technique: Service Stop (T1489)
Terminates services to facilitate encryption of files in use.
