Security experts have detected instances of Red Hat and Ubuntu systems coming under attack from a Linux version of the DinodasRAT malware, also known as XDealer, which may have been active since 2022.
Although the Linux variant of DinodasRAT has not been publicly described, the first version of the malware was traced back to 2021. Previously, cybersecurity firm ESET had identified DinodasRAT targeting Windows systems in an espionage campaign called ‘Operation Jacana,’ which specifically aimed at government organizations.
Recently, Trend Micro reported on a Chinese APT group dubbed ‘Earth Krahang,’ which utilized XDealer to infiltrate both Windows and Linux systems belonging to governments worldwide.
DinodasRAT Overview:
According to a recent report by Kaspersky researchers, the Linux version of DinodasRAT creates a hidden file upon execution in the directory where its binary resides, serving as a mutex to prevent multiple instances from running simultaneously on the infected device.
Subsequently, the malware establishes persistence on the compromised computer using either SystemV or SystemD startup scripts. To evade detection, the malware executes once more while the parent process remains idle.
The infected machine is then identified using infection, hardware, and system details, and a report is sent to the command and control (C2) server for managing victim hosts. Communication with the C2 server is facilitated through TCP or UDP, with the malware employing the Tiny Encryption Algorithm (TEA) in CBC mode for secure data exchange.
DinodasRAT’s Capabilities:
DinodasRAT is equipped with functionalities intended for monitoring, controlling, and exfiltrating data from compromised systems. Its key features include:
– Monitoring and harvesting data related to user activities, system configurations, and running processes.
– Executing commands received from the C2 server, such as file and directory actions, shell command execution, and updating the C2 address.
– Enumerating, starting, stopping, and managing processes and services on the infected system.
– Providing attackers with a remote shell for direct command execution or file execution in separate threads.
– Proxying C2 communications through remote servers.
– Downloading new iterations of the malware potentially containing enhancements and additional capabilities.
– Uninstalling itself and erasing all traces of its previous activity from the system.
Kaspersky researchers highlight that DinodasRAT affords the attacker complete control over compromised systems, primarily leveraging Linux servers to gain and sustain access to the target.
The researchers refrain from disclosing the initial infection method but note that since October 2023, the malware has affected victims in China, Taiwan, Turkey, and Uzbekistan.
