China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery

Advanced Gateway Threat Emerging

Cybersecurity researchers have discovered a sophisticated gateway-monitoring and adversary-in-the-middle (AitM) framework dubbed DKnife operated by China-nexus threat actors since at least 2019. The framework comprises seven Linux-based implants designed to perform deep packet inspection, manipulate traffic, and deliver malware via routers and edge devices.

Attack Scope and Primary Targets

The framework's primary targets appear to be Chinese-speaking users, evidenced by credential harvesting phishing pages for Chinese email services and exfiltration modules for popular applications like WeChat. According to Cisco Talos researchers, DKnife delivers and interacts with the ShadowPad and DarkNimbus backdoors by hijacking binary downloads and Android application updates.

Seven-Component Architecture

The DKnife framework operates through distinct modules:

- dknife.bin - Central component handling deep packet inspection, user activity reporting, binary download hijacking, and DNS hijacking
- postapi.bin - Data reporter module relaying traffic to remote command-and-control (C2) servers
- sslmm.bin - Reverse proxy module modified from HAProxy for TLS termination and email decryption
- mmdown.bin - Updater module downloading APKs for attacks
- yitiji.bin - Packet forwarder creating bridged TAP interfaces
- remote.bin - P2P VPN client establishing remote C2 communication
- dkupdate.bin - Watchdog module maintaining component availability

Credential Harvesting and Traffic Manipulation

DKnife harvests credentials from major Chinese email providers and can host phishing pages across multiple services. The sslmm.bin component presents its own TLS certificate to clients, terminating and decrypting POP3/IMAP connections to extract plaintext usernames and passwords.

The core component enables sophisticated traffic monitoring, including hijacking Android application updates for Chinese news, video streaming, and e-commerce platforms, and interfering with communications from antivirus products including 360 Total Security and Tencent services.

Threat Actor Infrastructure

Analysis of DKnife's infrastructure revealed connections to WizardNet, a Windows implant deployed by the Chinese APT group TheWizards via their Spellbinder AitM framework. TheWizards targets individuals and gambling sectors across Cambodia, Hong Kong, Mainland China, the Philippines, and the United Arab Emirates.

The discovery of configuration files from a single C2 server suggests the existence of additional servers hosting configurations for different regional targeting campaigns.

Key Implications

As threat actors intensify efforts to compromise edge device infrastructure, understanding the advanced capabilities of modern AitM threats—which blend deep packet inspection, traffic manipulation, and customized malware delivery—becomes critical for network defense strategies.

Source: The Hacker News