Full Report
Cybersecurity researchers have taken the wraps off a gateway-monitoring and adversary-in-the-middle (AitM) framework dubbed DKnife that's operated by China-nexus threat actors since at least 2019. The framework comprises seven Linux-based implants that are designed to perform deep packet inspection, manipulate traffic, and deliver malware via routers and edge devices. Its primary targets seem to
Analysis Summary
# Threat Actor: China-Nexus Threat Actors (Associated with Earth Minotaur, TheWizards)
## Attribution & Identity
* **Origin/Nexus:** China-nexus threat actors.
* **Known Aliases/Associations:** Associated with the Earth Minotaur activity cluster. Infrastructure links suggest connections to TheWizards APT group, which uses related tools like WizardNet and the Spellbinder AitM framework.
## Activity Summary
* **Historical Activities:** Operating the DKnife framework since at least 2019.
* **Recent Campaigns:** The framework is used for sophisticated gateway monitoring and Adversary-in-the-Middle (AitM) attacks, hijacking traffic and delivering malware through compromised routers and edge devices. The activity involves interaction with established backdoors like ShadowPad and DarkNimbus.
## Tactics, Techniques & Procedures
* **Deployment platform:** Utilizes Linux-based implants designed to operate on routers and edge devices.
* **Deep Packet Inspection (DPI):** Core function of `dknife.bin` to analyze network traffic.
* **Traffic Manipulation/Hijacking:** Capable of DNS hijacking and hijacking binary downloads, including Android application updates.
* **Adversary-in-the-Middle (AitM):** Uses a modified HAProxy reverse proxy (`sslmm.bin`) for TLS termination, email decryption (POP3/IMAP), and URL rerouting.
* **Credential Harvesting:** Actively harvests credentials by presenting rogue TLS certificates to decrypt traffic and extracting usernames/passwords.
* **Malware Delivery:** Delivers and interacts with ShadowPad and DarkNimbus backdoors.
* **Persistence/Maintenance:** Includes an updater and watchdog module (`dkupdate.bin`) ensuring components remain active.
* **Lateral Movement/C2:** Establishes P2P VPN channels (`remote.bin`) for communication with remote C2 infrastructure.
## Targeting
* **Sectors:** Broad targeting of PCs, mobile devices, and IoT devices.
* **Geography:** Primary observed targeting focuses on **Chinese-speaking users**, evidenced by phishing pages for Chinese email services and exfiltration modules for Chinese mobile apps (e.g., WeChat).
* **Victims:** While specific victims are not named, the infrastructure connections suggest overlap with TheWizards' known targeting of the **gambling sector** across **Cambodia, Hong Kong, Mainland China, the Philippines, and the United Arab Emirates.**
## Tools & Infrastructure
* **Malware Families used:** DKnife framework (seven distinct Linux implants), ShadowPad, DarkNimbus.
* **Specific DKnife Components:**
* `dknife.bin` (Core inspection and hijacking)
* `postapi.bin` (C2 data relay)
* `sslmm.bin` (TLS termination/Email decryption proxy)
* `mmdown.bin` (Malware updater)
* `yitiji.bin` (LAN traffic bridging/injection)
* `remote.bin` (P2P VPN client)
* `dkupdate.bin` (Watchdog/Updater)
* **Infrastructure (C2, domains, IPs):** Infrastructure analysis uncovered connections to **WizardNet** (a Windows implant) hosted on an IP address associated with TheWizards' Spellbinder framework. Specific C2 IPs/URLs were not provided in the summary context.
## Implications
The deployment of DKnife on routers and edge devices represents a significant, low-level persistent access threat. By compromising the gateway, the actors gain the capability to perform man-in-the-middle attacks at scale, decrypt sensitive communications (including email), manipulate traffic to serve malware/updates, and harvest credentials across all internal and external traffic traversing the device. The strong association with established Chinese APT activity clusters suggests state-sponsored motivations or high-value espionage goals.
## Mitigations
* **Router/Edge Device Hardening:** Implement rigorous security monitoring and patching for all network gateway devices (routers, firewalls) running Linux or similar operating systems.
* **Traffic Inspection:** Deploy advanced intrusion detection/prevention systems capable of detecting encrypted traffic anomalies such as unexpected TLS certificate presentations (relevant to `sslmm.bin` operations).
* **Monitoring for Implant Artifacts:** Scan network devices and endpoint systems for known components or related malware families (ShadowPad, DarkNimbus).
* **Credential Security:** Enforce strong authentication mechanisms, particularly MFA, to mitigate credential theft resulting from plaintext decryption or phishing attempts.
* **DNS Monitoring:** Monitor for unusual DNS hijacking requests originating from network infrastructure.