A Linux version of a cross-platform backdoor called DinodasRAT has been detected in the wild against China, Taiwan, Turkey and Uzbekistan, new Kaspersky findings reveal.
DinodasRAT, also known as XDealer, is a C++-based malware that offers the ability to collect a wide range of sensitive data from compromised hosts.
In October 2023, Slovakian cybersecurity company ESET revealed that a government entity in Guyana was targeted as part of a cyber espionage campaign called Operation Jacana to deploy the Windows version of the plant.
Last week, Trend Micro detailed a cluster of threat activity that it tracks as Earth Krahang and which has transitioned to using DinodasRAT since 2023 in its attacks targeting several government entities around the world.
The use of DinodasRAT has been attributed to various China-linked threat actors, including LuoYu, once again reflecting the prevalent tool-sharing among hacking teams identified as acting on behalf of the country.
Kaspersky said it discovered a Linux version of the malware (V10) in early October 2023. Evidence gathered so far shows that the first known variant (V7) dates back to 2021.
It is primarily designed to target Red Hat and Ubuntu Linux-based distributions. At run time, it establishes persistence on the host using SystemV or SystemD startup scripts and periodically contacts a remote server over TCP or UDP to retrieve commands to execute.
DinodasRAT is capable of performing file operations, modifying command and control (C2) addresses, enumerating and terminating running processes, executing shell commands, downloading a new version of the backdoor, and even uninstalling itself.
It also takes steps to evade detection via debugging and monitoring tools, and like its Windows counterpart, uses the Tiny Encryption Algorithm (TEA) to encrypt C2 communications.
“The primary use case for DinodasRAT is to gain and maintain access via Linux servers rather than via reconnaissance,” Kaspersky said. “The backdoor is fully functional and grants the operator complete control over the infected machine, allowing for data exfiltration and espionage.”