A newly identified Linux variant of a multi-platform backdoor known as DinodasRAT has emerged, actively targeting regions including China, Taiwan, Turkey, and Uzbekistan, according to recent findings by Kaspersky.
DinodasRAT, also recognized as XDealer, is a C++-based malware specifically designed to extract various sensitive data from compromised systems. This variant reflects a broader trend in cyber threats, showcasing the adaptability of such malware across different operating systems.
In October 2023, the Slovak cybersecurity firm ESET reported an incident involving a governmental entity in Guyana, which was targeted as part of a cyber espionage campaign named Operation Jacana, aimed at deploying the Windows variant of the malware.
Most recently, Trend Micro outlined a threat activity cluster designated as Earth Krahang that has transitioned to adopting DinodasRAT in its operations since 2023. The group’s activities appear to focus on several government entities around the globe, amplifying the risk profile associated with this malware.
The DinodasRAT is reportedly operated by various threat actors with ties to China, including groups like LuoYu. This highlights the collaborative nature of hacking syndicates operating on behalf of national interests, often sharing tools and methodologies.
Kaspersky identified the Linux version (V10) of DinodasRAT in early October 2023, with its initial known variant (V7) traced to July 2021. Check Point has since discovered an evolved form (V11) in November 2023, indicating ongoing development and sophistication.
This malware specifically targets Red Hat-based distributions and Ubuntu Linux. Upon activation, it establishes persistence on the host through SystemV or SystemD startup scripts and maintains a connection with a remote server via TCP or UDP to execute commands.
DinodasRAT’s capabilities are extensive; it can perform various file operations, modify command-and-control (C2) addresses, manage running processes, execute shell commands, and even uninstall itself. It employs the Tiny Encryption Algorithm (TEA) to secure C2 communications, complicating detection efforts.
The malware is primarily used for maintaining access to Linux servers rather than merely for reconnaissance, providing operators total control over infected systems and facilitating data exfiltration. This aligns with several techniques within the MITRE ATT&CK framework, including persistence, command and control, and exfiltration tactics.
Check Point’s analysis further indicates that DinodasRAT is based on an open-source project named SimpleRemoter, highlighting the malware’s intricate ties to other remote access technologies. This group’s ability to adapt and evolve emphasizes the importance of robust security measures for Linux environments.
The latest iteration of DinodasRAT showcases advanced functionalities, including threading for system monitoring, additional modules for interfering with system operations, and the capability to eliminate inactive reverse shell sessions. These advancements signal a deliberate effort by threat actors to enhance operational efficiency and persistence.
The auxiliary module, referred to as the filter module, is designed to act as a proxy for executing original binaries, effectively controlling their output and permitting attackers to extract valuable information while reducing the likelihood of detection. This sophistication underscores the ongoing focus by threat actors on exploiting vulnerabilities in Linux server configurations, which often have less stringent security measures compared to their Windows counterparts.
The developments in DinodasRAT illustrate the escalating complexity of cyber threats faced by organizations globally, highlighting the necessity for heightened vigilance and comprehensive cybersecurity strategies.
(This article has been updated to integrate additional information about DinodasRAT as published by Check Point Research on March 31, 2024.)
