Article Details
Scrape Timestamp (UTC): 2024-03-31 14:40:04.995
Original Article Text
Click to Toggle View
DinodasRAT malware targets Linux servers in espionage campaign. Security researchers have observed Red Hat and Ubuntu systems being attacked by a Linux version of the DinodasRAT (also known as XDealer) that may have been operating since 2022. The Linux variant of the malware has not been described publicly, although the first version has been tracked to 2021. Cybersecurity company ESET has previously seen DinodasRAT compromising Windows systems in an espionage campaign dubbed ‘Operation Jacana,’ that targeted government entities. Earlier this month, Trend Micro reported about a Chinese APT group they track as ‘Earth Krahang,’ which used XDealer to breach both Windows and Linux systems of governments worldwide. DinodasRAT details In a report earlier this week, researchers at Kaspersky say that when executed, the Linux variant of DinodasRAT creates a hidden file in the directory where its binary resides, which acts as a mutex to prevent multiple instances from running on the infected device. Next, the malware sets persistence on the computer using SystemV or SystemD startup scripts. To complicate detection, the malware then executes once more while the parent process waits. The infected machine is tagged using infection, hardware, and system details and the report is sent to the command and control (C2) server to manage victim hosts. Communication with the C2 server occurs via TCP or UDP, while the malware utilizes the Tiny Encryption Algorithm (TEA) in CBC mode, ensuring secured data exchange. DinodasRAT has capabilities designed to monitor, control, and exfiltrate data from compromised systems. Its main features include: According to the researchers, DinodasRAT gives the attacker complete control over compromised systems. They note that the threat actor is using the malware primarily to gain and maintain access to the target through Linux servers. "The backdoor is fully functional, granting the operator complete control over the infected machine, enabling data exfiltration and espionage," Kaspersky says. Kaspersky does not provide details about the initial infection method but notes that since October 2023 the malware affects victims in China, Taiwan, Turkey and Uzbekistan.
Daily Brief Summary
DinodasRAT, primarily targeting Red Hat and Ubuntu Linux servers, has been implicated in an espionage campaign possibly since 2022.
ESET had previously discovered the malware attacking Windows in 'Operation Jacana,' aiming at governmental bodies.
Kaspersky's report indicates that DinodasRAT for Linux creates a hidden mutex file, establishes persistence, and communicates with C2 servers securely using TEA in CBC mode.
The malware's functionality includes monitoring, controlling, and data exfiltration from infected systems, granting attackers full control over compromised servers.
While the initial infection vectors are unclear, Kaspersky observed infections in regions like China, Taiwan, Turkey, and Uzbekistan since October 2023.
Trend Micro has linked the malware to a Chinese APT group 'Earth Krahang,' which has compromised both Windows and Linux systems at government targets worldwide.