DKnife

"...begins with the compromise of a Linux-based router or edge device, either via... credential reuse (T1078)..."

"...hijacking binary downloads and Android application updates." / "Hijacking and replacing Android application updates... by intercepting their update manifest requests"

DKnife hijacks software downloads and Android app updates... It redirects update requests to a local malicious server and replaces legitimate downloads with malware.

"DKnife toolkit abuses routers to spy and deliver malware since 2019"

DKnife can also serve phishing pages. The phishing routes are defined in url.cfg, and several phishing templates were discovered under /dkay-scripts/.

"DKnife can harvest credentials from a major Chinese email provider and host phishing pages for other services"

It delivers and interacts with the ShadowPad and DarkNimbus backdoors by hijacking binary downloads and Android application updates.

The code establishes persistence by modifying the /etc/rc.local file, a script commonly used to execute commands and scripts after the system boots and initializes services.

"...begins with the compromise of a Linux-based router or edge device, either via... credential reuse (T1078)..."

For the Android variants, the backdoor attempts to contact a Baidu URL "http[:]//fanyi.baidu[.]com/query_config_dk" to retrieve its C2 information. This URL does not return any response from Baidu itself; rather, it serves as a recognizable trigger for DKnife, which intercepts the request and injects the C2 response.

The DKnife downloader... enables persistence at boot... downloads the DKnife package, and launches all components automatically.

The code establishes persistence by modifying the /etc/rc.local file, a script commonly used to execute commands and scripts after the system boots and initializes services.

"...begins with the compromise of a Linux-based router or edge device, either via... credential reuse (T1078)..."

The DKnife downloader... enables persistence at boot... downloads the DKnife package, and launches all components automatically.

The tool loads encrypted hijacking rules, decrypts them with a QQ TEA–based key, and deletes them after use.

"...begins with the compromise of a Linux-based router or edge device, either via... credential reuse (T1078)..."

For the Android variants, the backdoor attempts to contact a Baidu URL "http[:]//fanyi.baidu[.]com/query_config_dk" to retrieve its C2 information. This URL does not return any response from Baidu itself; rather, it serves as a recognizable trigger for DKnife, which intercepts the request and injects the C2 response.

It delivers and interacts with the ShadowPad and DarkNimbus backdoors by hijacking binary downloads and Android application updates.

DKnife inspects traffic to monitor and report user’s network activity to its remote C2 in real time.

The malware also steals credentials by intercepting encrypted email connections and hosting phishing pages.

“The toolkit… steals credentials from Chinese services”

Cisco Talos uncovered “DKnife,” a fully featured gateway-monitoring and adversary-in-the-middle (AitM) framework comprising seven Linux-based implants that perform deep-packet inspection, manipulate traffic, and deliver malware via routers and edge devices.

For harvesting email credentials, the sslmm.bin component presents its own TLS certificate to clients, terminates and decrypts POP3/IMAP connections, and inspects the plaintext stream to extract usernames and passwords.

DKnife inspects traffic to monitor and report user’s network activity to its remote C2 in real time.

The malware also steals credentials by intercepting encrypted email connections and hosting phishing pages.

Cisco Talos uncovered “DKnife,” a fully featured gateway-monitoring and adversary-in-the-middle (AitM) framework comprising seven Linux-based implants that perform deep-packet inspection, manipulate traffic, and deliver malware via routers and edge devices.

When an HTTP request’s Host and URI match the configured rule, DKnife evaluates the rule’s duration and interval timers to determine whether to trigger. If the rule fires and the requested filename has a matching extension (e.g., “.exe”, “.rar”, “.zip”, or “.apk”), DKnife forges an HTTP 302 redirect whose Location URL is taken from the rule’s data field.

"Encrypted communications over HTTP(S) or DNS-like patterns"

This component acts as the reverse proxy server for the AitM attack and is implemented as a pre-configured, customized build of HAProxy.

"sslmm.bin - A reverse proxy module modified from HAProxy that performs TLS termination..."

After creating the folders for DKnife deployment, the downloader fetches the DKnife archive from the C2 and launches every binary in /dksoft/bin/ using nohup [filepath] 2>/dev/null 1>/dev/null &.

For the Android variants, the backdoor attempts to contact a Baidu URL "http[:]//fanyi.baidu[.]com/query_config_dk" to retrieve its C2 information. This URL does not return any response from Baidu itself; rather, it serves as a recognizable trigger for DKnife, which intercepts the request and injects the C2 response.

This component functions as an N2N peer-to-peer VPN client. When executed it creates a virtual network device named “edge0” and attaches it to a P2P overlay, automatically joining the hardcoded community dknife and registering with the embedded supernode.

remote.bin – P2P VPN client Builds a peer-to-peer communication tunnel to the remote C2 using a customized N2N VPN.

Postapi.bin loads the configuration file server.conf to obtain the address of the remote C2 server used for data exfiltration... The component uses libcurl to send different types of exfiltrated and reporting data via HTTP POST requests to specific API endpoints.

“…exfiltrate data from popular apps like WeChat and QQ.”

DKnife supports both IPv4 and IPv6 DNS hijacking.

"Interfering with communications from antivirus and PC-management products, including 360 Total Security and Tencent services"

The DKnife traffic inspection module actively identifies and interferes with communications from antivirus and PC-management products... When a match is found, the module drops or otherwise disrupts the traffic with the crafted TCP RST packet.