A newly discovered toolkit called DKnife has been used since 2019 to hijack traffic at the edge-device level and deliver malware in espionage campaigns.
The framework serves as a post-compromise framework for traffic monitoring and adversary-in-the-middle (AitM) activities. It is designed to intercept and manipulate traffic destined for endpoints (computers, mobile devices, IoTs) on the network.
Researchers at Cisco Talos say that DKnife is an ELF framework with seven Linux-based components designed for deep packet inspection (DPI), traffic manipulation, credential harvesting, and malware delivery.
The malware features Simplified Chinese language artifacts in component names and code comments, and explicitly targets Chinese services such as email providers, mobile apps, media domains, and WeChat users.
Talos researchers assess with high confidence that the operator of DKnife is a China-nexus threat actor.
DKnife's seven components and their functionality
Source: Cisco Talos
Researchers couldn't determine how the network equipment is compromised, but found that DKnife delivers and interacts with the ShadowPad and DarkNimbus backdoors, both associated with Chinese threat actors.
DKnife consists of seven modules, each responsible for specific activities related to communication with the C2 servers, relaying or altering traffic, and hiding the malicious traffic origin:
dknife.bin - responible for packet inspection and attack logics, it also reports attack status, user activities, and sends collected data
... continue reading