Cisco Talos revealed DKnife, a sophisticated adversary-in-the-middle framework active since 2019 that compromises routers and edge devices to inspect and manipulate traffic. DKnife hijacks Android updates and Windows downloads to deploy backdoors like ShadowPad and DarkNimbus while targeting Chinese-speaking users and services. #DKnife #ShadowPad
Keypoints
- DKnife turns compromised gateways into inspection points that perform deep-packet inspection and manipulate traffic.
- The framework comprises seven Linux-based implants, including yitiji.bin which creates a bridged interface to route attacker traffic.
- It hijacks Android update manifests and swaps Windows binaries to deliver malicious APKs and installers.
- DKnife identifies and blocks security products such as 360 Total Security and Tencent PC Manager to evade detection.
- It delivers ShadowPad and DarkNimbus via side-loaded loaders and reroutes DNS requests to attacker C2 servers while primarily targeting Chinese-speaking users and apps like WeChat and QQ.
Read More: https://securityonline.info/the-all-in-one-spy-dknife-malware-hijacks-routers-to-swap-downloads/