Cisco Talos has uncovered DKnife, a sophisticated gateway-monitoring and adversary-in-the-middle (AitM) framework comprising seven Linux-based implants. This framework, in use since at least 2019, performs deep-packet inspection, manipulates network traffic, and delivers malware through routers and edge devices. DKnife targets a wide range of devices, including PCs, mobile devices, and IoT devices, by hijacking binary downloads and Android application updates to deliver backdoors like ShadowPad and DarkNimbus. Evidence, including code references and language used in configuration files, strongly suggests that China-nexus threat actors operate DKnife, with a primary focus on Chinese-speaking users. The framework exhibits a link to the WizardNet backdoor campaign, indicating a shared development or operational lineage with other AitM frameworks like Spellbinder. DKnife’s capabilities include DNS hijacking, disrupting antivirus traffic, and extensive user activity monitoring, collecting data on messaging, shopping, news consumption, and more. It also features credential harvesting for Chinese email services and hosts phishing pages. The framework’s seven components work in concert to achieve its malicious objectives, from deep packet inspection to establishing P2P communication channels. Routers and edge devices remain critical targets for advanced threats like DKnife, emphasizing the need for continuous monitoring of this infrastructure.
Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework
Edward Kiledjian
@ekiledjian