Experts have discovered the DKnife platform, designed to intercept traffic at the network equipment level.
Cisco Talos researchers discovered a hidden attack platform that had been operating undetected for years inside network equipment, spoofing users' internet traffic. The malware, dubbed "DKnife," infiltrates routers and edge network devices, spies data, and delivers compromised software updates to victims.
The report's authors found that DKnife is a fully-fledged traffic monitoring and interception tool. It consists of seven Linux modules and can analyze network packets, modify server responses, redirect file downloads, and distribute malware. Service data contained within the files indicates that the tool has been in use since at least 2019, and the command-and-control servers remain operational.
The platform attacks a wide range of devices, from regular computers and smartphones to IoT devices. Its primary tactic is to intercept downloads and software updates. Instead of a legitimate file, an infected one is secretly sent to the victim. This method was used to distribute the well-known malicious backdoors ShadowPad and DarkNimbus. This substitution was also used against Android app updates.
Analysis revealed that the attacks primarily target Chinese-speaking users. Credential theft modules target Chinese email services and popular mobile apps. Numerous comments in simplified Chinese, as well as references to local internet services and media, were found in the code and settings. Based on these indicators, researchers confidently associate the tool with hacker groups of Chinese origin.
While examining the command-and-control infrastructure, specialists discovered overlaps with another malicious campaign using the WizardNet backdoor. It was previously distributed through a different traffic interception system. Similar operating methods, identical link redirects, and server configurations indicate a common origin or joint development of these tools.
DKnife is installed on Linux-based network devices and is adapted to router firmware . It can spoof domain name system responses, intercept application and software updates, interfere with security solutions, and disrupt antivirus connections to their servers. Certain components deploy a special virtual interface within the network, through which malicious files are delivered to the victim as if from a local source. This helps bypass security checks and reduces the likelihood of detection.
In addition to download spoofing, the platform collects detailed data on user activity. It tracks messaging app usage, app launches, news views, purchases, taxi rides, card use, and other actions. The collected data is sent to remote control servers. Phishing and email password interception mechanisms are also included.
It's also worth noting that routers and edge network devices are increasingly becoming targets for sophisticated targeted attacks. These tools give attackers control over all traffic and enable them to infect devices without user intervention. Experts recommend paying particular attention to updating firmware, monitoring network settings, and monitoring suspicious activity at the network level.
Cisco Talos researchers discovered a hidden attack platform that had been operating undetected for years inside network equipment, spoofing users' internet traffic. The malware, dubbed "DKnife," infiltrates routers and edge network devices, spies data, and delivers compromised software updates to victims.
The report's authors found that DKnife is a fully-fledged traffic monitoring and interception tool. It consists of seven Linux modules and can analyze network packets, modify server responses, redirect file downloads, and distribute malware. Service data contained within the files indicates that the tool has been in use since at least 2019, and the command-and-control servers remain operational.
The platform attacks a wide range of devices, from regular computers and smartphones to IoT devices. Its primary tactic is to intercept downloads and software updates. Instead of a legitimate file, an infected one is secretly sent to the victim. This method was used to distribute the well-known malicious backdoors ShadowPad and DarkNimbus. This substitution was also used against Android app updates.
Analysis revealed that the attacks primarily target Chinese-speaking users. Credential theft modules target Chinese email services and popular mobile apps. Numerous comments in simplified Chinese, as well as references to local internet services and media, were found in the code and settings. Based on these indicators, researchers confidently associate the tool with hacker groups of Chinese origin.
While examining the command-and-control infrastructure, specialists discovered overlaps with another malicious campaign using the WizardNet backdoor. It was previously distributed through a different traffic interception system. Similar operating methods, identical link redirects, and server configurations indicate a common origin or joint development of these tools.
DKnife is installed on Linux-based network devices and is adapted to router firmware . It can spoof domain name system responses, intercept application and software updates, interfere with security solutions, and disrupt antivirus connections to their servers. Certain components deploy a special virtual interface within the network, through which malicious files are delivered to the victim as if from a local source. This helps bypass security checks and reduces the likelihood of detection.
In addition to download spoofing, the platform collects detailed data on user activity. It tracks messaging app usage, app launches, news views, purchases, taxi rides, card use, and other actions. The collected data is sent to remote control servers. Phishing and email password interception mechanisms are also included.
It's also worth noting that routers and edge network devices are increasingly becoming targets for sophisticated targeted attacks. These tools give attackers control over all traffic and enable them to infect devices without user intervention. Experts recommend paying particular attention to updating firmware, monitoring network settings, and monitoring suspicious activity at the network level.
