Infosec Watchtower Logo

Emergence of DinodasRAT: A Cross-Platform Cyberespionage Threat Expands to Linux

Charles M. Walls | March 29, 2024 | Views: 163

A digital world map glowing with interconnected nodes and lines, highlighting China, Taiwan, Turkey, and Uzbekistan with distinct colors.

Cybersecurity researchers have uncovered a new variant of a sophisticated cyberespionage tool, known as DinodasRAT or XDealer, that's been targeting countries such as China, Taiwan, Turkey, and Uzbekistan. This latest development, discovered by the team at Kaspersky, highlights the malware's expansion across multiple platforms, now including Linux.

Originating from C++, DinodasRAT is notorious for its ability to siphon off a plethora of sensitive information from the devices it infiltrates. The malware first caught the public's eye in October 2023, when ESET, a cybersecurity firm based in Slovakia, reported its use in a cyberespionage operation—dubbed Operation Jacana—targeting a governmental body in Guyana with a Windows version of the tool.

Further insights came from Trend Micro, which last week shed light on a group known as Earth Krahang. This group, which has been actively deploying DinodasRAT since 2023, is known for its cyberattacks on government institutions globally, showcasing the malware's widespread application.

Attribution of DinodasRAT has frequently pointed towards hacker groups with ties to China, such as LuoYu, illustrating the collaborative nature of cybercriminal operations emanating from the country.

In a significant discovery made in early October 2023, Kaspersky stumbled upon a Linux adaptation of DinodasRAT (version 10). This finding is crucial, tracing back the malware's evolution to its first known version (version 7) in 2021. Targeting primarily Red Hat-based and Ubuntu Linux distributions, this Linux variant of DinodasRAT burrows deep into the infected host. It secures its foothold through SystemV or SystemD startup scripts and keeps in touch with a command server via TCP or UDP to receive operational commands.

The functionalities of DinodasRAT on Linux mirror those on Windows, from managing files and processes to executing commands and communicating with encrypted messages using the Tiny Encryption Algorithm (TEA). Moreover, it boasts features to sidestep detection tools, emphasizing its use for long-term access and surveillance rather than mere reconnaissance.

This full-featured backdoor empowers its operators with comprehensive control over compromised systems, paving the way for data theft and espionage. The emergence of a Linux version of DinodasRAT underscores the continuous evolution and adaptation of cyber threats, highlighting the importance of vigilance in the ever-changing landscape of cybersecurity.

Source of Inspiration