Cybersecurity researchers have unveiled a framework known as DKnife, which is associated with threat actors linked to China and has been operational since at least 2019. This framework is specifically designed for adversary-in-the-middle (AitM) attacks, utilizing seven Linux-based implants to conduct deep packet inspection, manipulate network traffic, and deliver malware through routers and edge devices.
The primary targets of DKnife appear to be Chinese-speaking users, as indicated by the presence of phishing pages aimed at Chinese email services and modules for exfiltrating data from popular Chinese applications like WeChat. According to Cisco Talos researcher Ashley Shen, DKnife’s capabilities extend to a wide range of devices, including PCs, mobile devices, and Internet of Things (IoT) devices. The framework is capable of delivering and interacting with backdoors such as ShadowPad and DarkNimbus by hijacking binary downloads and Android application updates.
Discovery and Infrastructure
Cisco Talos discovered DKnife while monitoring another Chinese threat activity cluster known as Earth Minotaur, which is associated with various tools including the MOONSHINE exploit kit and the DarkNimbus backdoor. The analysis revealed connections between DKnife and WizardNet, a Windows implant used by another China-aligned advanced persistent threat (APT) group called TheWizards. This connection raises concerns about the potential for similar configurations targeting different regions.
Components and Functionality
DKnife consists of seven components, each serving distinct functions:
- dknife.bin: The core of the framework responsible for deep packet inspection and traffic manipulation.
- postapi.bin: A data reporting module that relays traffic to remote command-and-control (C2) servers.
- sslmm.bin: A reverse proxy that performs TLS termination and URL rerouting.
- mmdown.bin: An updater module that connects to a hard-coded C2 server to download malicious APKs.
- yitiji.bin: A packet forwarder that creates a bridged TAP interface on routers.
- remote.bin: A peer-to-peer VPN client module for communication with remote C2.
- dkupdate.bin: An updater and watchdog module that maintains the functionality of other components.
Notably, DKnife can harvest credentials from major Chinese email providers and host phishing pages for various services. The sslmm.bin component intercepts and decrypts email connections to extract usernames and passwords, which are then relayed to remote C2 servers.
Implications of DKnife’s Capabilities
The framework’s capabilities include conducting DNS hijacking and manipulating legitimate downloads to deliver malicious payloads. This encompasses hijacking Android application updates and replacing them with malicious versions, as well as interfering with communications from antivirus and PC management products. Such tactics underline the advanced nature of modern AitM threats, which combine deep packet inspection with tailored malware delivery across diverse device types.
As routers and edge devices remain prime targets in sophisticated cyber campaigns, understanding the tools and techniques employed by threat actors like those behind DKnife is crucial for enhancing cybersecurity defenses.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
