DinodasRAT malware targets Linux servers in espionage campaign


Security researchers have observed Red Hat and Ubuntu systems being attacked by a Linux version of the DinodasRAT (also known as XDealer) that may have been operating since 2022.

The Linux variant of the malware has not been described publicly, although the first version has been tracked to 2021.

Cybersecurity company ESET has previously seen DinodasRAT compromising Windows systems in an espionage campaign dubbed ‘Operation Jacana,’ that targeted government entities.

Earlier this month, Trend Micro reported about a Chinese APT group they track as ‘Earth Krahang,’ which used XDealer to breach both Windows and Linux systems of governments worldwide.

DinodasRAT details

In a report earlier this week, researchers at Kaspersky say that when executed, the Linux variant of DinodasRAT creates a hidden file in the directory where its binary resides, which acts as a mutex to prevent multiple instances from running on the infected device.

Next, the malware sets persistence on the computer using SystemV or SystemD startup scripts. To complicate detection, the malware then executes once more while the parent process waits.

Malware's execution logic
The malware’s execution logic (Kaspersky)

The infected machine is tagged using infection, hardware, and system details and the report is sent to the command and control (C2) server to manage victim hosts.

Creating the unique ID for the victim
Creating the unique ID for the victim (Kaspersky)

Communication with the C2 server occurs via TCP or UDP, while the malware utilizes the Tiny Encryption Algorithm (TEA) in CBC mode, ensuring secured data exchange.

Dinodas network packet structure
Dinodas network packet structure (Kaspersky)

DinodasRAT has capabilities designed to monitor, control, and exfiltrate data from compromised systems. Its main features include:

  • Monitor and harvest data on user activities, system configurations, and running processes.
  • Receive commands for execution from the C2, including file and directory actions, shell command execution, and updating the C2 address.
  • Enumerate, start, stop, and manage processes and services on the infected system.
  • Offer the attackers a remote shell for direct command or file execution in separate threats.
  • Proxy C2 communications through remote servers.
  • Download new versions of the malware that potentially incorporate improvements and additional capabilities.
  • Uninstall itself and wipe all traces of its previous activity from the system.

According to the researchers, DinodasRAT gives the attacker complete control over compromised systems. They note that the threat actor is using the malware primarily to gain and maintain access to the target through Linux servers.

“The backdoor is fully functional, granting the operator complete control over the infected machine, enabling data exfiltration and espionage,” Kaspersky says.

Kaspersky does not provide details about the initial infection method but notes that since October 2023 the malware affects victims in China, Taiwan, Turkey and Uzbekistan.



Source link