Security researchers have recently detected attacks targeting Red Hat and Ubuntu systems by a Linux version of the DinodasRAT malware, also known as XDealer.
These attacks may have been ongoing since 2022, although the initial version of the malware was identified in 2021.
While the specific details of the Linux variant have not been publicly disclosed, cybersecurity company ESET has previously observed DinodasRAT compromising Windows systems in an espionage campaign called ‘Operation Jacana,’ which primarily targeted government entities.
Additionally, Trend Micro reported earlier this month on an APT group known as ‘Earth Krahang,’ which utilized XDealer to breach both Windows and Linux systems of governments worldwide.
DinodasRAT Malware Details
According to a recent report by Kaspersky, researchers have discovered that the Linux version of DinodasRAT employs certain techniques upon execution.
Malware’s Execution Logic
Source: Kaspersky
Firstly, it creates a hidden file in the same directory as its binary, serving as a mutex to ensure that only one instance runs on the infected device.
The malware then establishes persistence on the computer using either SystemV or SystemD startup scripts.
To evade detection, the malware executes once more while the parent process waits. Furthermore, the infected machine is labeled with infection, hardware, and system details, and the collected data is sent to the command and control (C2) server for managing victim hosts.
Malware Creating a Unique ID for Victim
Source: Kaspersky
The Linux variant of DinodasRAT communicates with the command and control (C2) server using TCP or UDP protocols.
To ensure secure data exchange, the malware employs the Tiny Encryption Algorithm (TEA) in CBC mode. This encryption method helps safeguard the confidentiality of the transmitted information.
Dinodas Malware Network Packet Structure
Source: Kaspersky
DinodasRAT malware possesses a range of capabilities specifically designed for monitoring, controlling, and extracting data from compromised systems. Its key functionalities include:
- Monitoring and harvesting data related to user activities, system configurations, and running processes.
- Executing commands received from the command and control (C2) server, which may involve actions related to files and directories, execution of shell commands, and updating the C2 address.
- Enumerating, starting, stopping, and managing processes and services on the infected system.
- Providing the attackers with a remote shell for direct command execution or file manipulation in separate threads.
- Proxying C2 communications through remote servers, enhancing stealth and obfuscation.
- Downloading new iterations of the malware, potentially incorporating enhancements and additional capabilities.
- Uninstalling itself and thoroughly erasing all traces of its previous activities from the compromised system.
According to the researchers, DinodasRAT malware grants the attacker full control over compromised systems. They emphasize that the threat actor primarily utilizes the malware to gain initial access to the target and subsequently maintain that access through Linux servers.
“The backdoor is fully functional, granting the operator complete control over the infected machine, enabling data exfiltration and espionage,”
Kaspersky says.
Kaspersky’s report does not disclose specific information about the initial method of infection. However, it highlights that starting from October 2023, the DinodasRAT malware has been observed targeting victims in China, Taiwan, Turkey, and Uzbekistan.
