DinodasRAT
A cross-platform backdoor known as DinodasRAT has surfaced in the wild, specifically targeting regions such as China, Taiwan, Turkey and Uzbekistan. Also recognized as XDealer, DinodasRAT operates on Linux systems and is built in C++, which is equipped to extract a diverse array of sensitive data from compromised machines.
In October 2023, investigators disclosed that a governmental body in Guyana was under siege as part of a cyber espionage initiative termed Operation Jacana, focusing on deploying the Windows iteration of this threatening implant. In late March 2024, researchers outlined a cluster of threat activities known as Earth Krahang, which has apparently transitioned to employing DinodasRAT since 2023 in its assaults, targeting numerous government entities across the globe.
Table of Contents
DinodasRAT Has Been Continuously Developed by Cybercriminals
The use of DinodasRAT has been attributed to various China-nexus threat actors, including LuoYu, once again reflecting the tool sharing prevalent among hacking crews identified as acting on behalf of the country.
Researchers stumbled across a Linux version of the malware (V10) in early October 2023. Evidence gathered so far shows that the first known variant (V7) dates back to July 2021. A next-generation version (V11) has since been detected in November 2023.
It's mainly designed to target Red Hat-based distributions and Ubuntu Linux. Upon execution, it establishes persistence on the host by using SystemV or SystemD startup scripts. It periodically contacts a remote server over TCP or UDP to fetch the commands to be run.
DinodasRAT Is a Sophisticated Threat with Numerous Intrusive Capabilities
DinodasRAT comes equipped with a variety of capabilities, including file operations, altering Command-and-Control (C2) addresses, identifying and terminating active processes, executing shell commands, fetching updated versions of the backdoor, and even self-removal.
To avoid detection by debugging and monitoring tools, DinodasRAT employs evasion techniques. Similar to its Windows counterpart, it utilizes the Tiny Encryption Algorithm (TEA) to encrypt C2 communications.
DinodasRAT primarily focuses on establishing and sustaining access via Linux servers rather than reconnaissance. It operates efficiently, granting the operator total control over the compromised system and facilitating data theft and espionage.
Believed to have originated from an open-source project known as SimpleRemoter, which is rooted in the Gh0st RAT, DinodasRAT has evolved into a fully functional malware with significant capabilities. The newly-discovered Linux version of the threat has been tracked by some researchers, such as Linodas.
A Linux Variant of DinodasRAT Has Emerged
The individuals behind this threat demonstrate high proficiency in Linux systems. Their decision to support this operating system goes beyond a mere adaptation of a Windows Remote Access Trojan (RAT) with conditional compilation directives (#ifdef). Rather, it involves an entirely distinct project with its own codebase, possibly managed by a separate development team.
This latest iteration of the backdoor introduces new functionalities, including the ability to create multiple threads for system monitoring, downloading supplementary modules capable of disrupting specific system binaries, and terminating inactive reverse shell sessions after approximately one hour.
The primary purpose of the additional module, referred to as the 'filter module,' is to serve as a proxy for executing original binaries (e.g., commands such as 'who,' 'netstat,' and 'ps') and controlling their output. This enables threat actors to extract information from the host while evading detection more effectively.
The sophistication and expanded capabilities observed in this threat underscore the ongoing focus of threat actors on targeting Linux servers. Such attacks serve both to establish a persistent presence and to serve as a pivot point within compromised networks. This strategy likely capitalizes on the comparatively lower level of security measures typically deployed on Linux systems, enabling attackers to deepen their foothold and operate covertly for extended periods.
