Dinodas RAT

A recent discovery by cybersecurity researchers has unveiled a new threat to Linux systems: The DinodasRAT malware, also known as XDealer. While this malware has been targeting Windows systems since last fall, it's now making its presence known on Linux platforms as well, with activity dating back to 2022.

DinodasRAT for Windows

The Windows-focused attacks, termed "Operation Jacana" by ESET researchers, were highlighted for targeting government organizations worldwide for cyber espionage. Another notable finding came from Trend Micro, who identified a Chinese APT group, Earth Krahang, utilizing the XDealer malware to infiltrate both Windows and Linux systems of government bodies globally.

Linux variant of DinodasRAT

Kaspersky Lab's recent report delves into the specifics of the Linux variant of DinodasRAT, describing it as a versatile backdoor written in C++. The researchers note that while they haven't pinpointed the initial infection method, they have observed attacks targeting victims in China, Taiwan, Turkey, and Uzbekistan since October 2023. DinodasRAT provides attackers with full control over compromised systems, primarily through Linux servers.

The backdoor ensures it stays on the infected system by following these steps:

1. It directly runs in the background without any instructions, using a Linux function called "daemon".
2. It establishes long-term presence on the system by employing startup scripts from either SystemV or SystemD.
3. It duplicates itself, with the original process waiting while the newly created one continues the infection. This method not only confirms successful execution but also makes detection challenging for monitoring tools.

Persistence Method

Before connecting to the C2 server, the backdoor collects machine details to create a unique identifier. This identifier includes the infection date, MD5 hash of system hardware details, a random number, and the backdoor version. The format is usually Linux_{DATE}_{HASH}_{RAND_NUM}_{VERSION}.

The implant stores victim details in a hidden file named "/etc/.netc.conf", containing metadata. If the file doesn't exist, Dinodas creates it, following a structured format.

It also ensures that accessing this file or its own file path does not update the "access" time in the stat structure, which stores file access timestamps. This is achieved by using the "touch" command with the "-d" parameter to modify this metadata.

The DinodasRAT Linux version exploits Systemd and SystemV service managers for persistence. It identifies the victim's Linux distribution using "/proc/version", targeting RedHat and Ubuntu. It installs an appropriate init script for persistence, launched after network setup.

The Linux DinodasRAT communicates with the C2 using TCP or UDP, with the C2 domain and port hard-coded into the implant. It sends information back at timed intervals, with different wait times depending on user privileges and configuration settings.

TEA for Encryption

The Linux version of DinodasRAT employs Pidgin's libqq qq_crypt library functions for encryption and decryption of communication with the C2 server, as well as for encrypting data. This library utilizes the Tiny Encryption Algorithm (TEA) in Cipher Block Chaining (CBC) mode, ensuring compatibility across platforms. Additionally, the Linux variant shares two encryption keys with the Windows version.

Conclusion

In October 2023, ESET reported a campaign named Operation Jacana targeting Windows systems. Subsequently, it was discovered that the operators of Jacana are capable of infecting Linux infrastructure with a new variant of DinodasRAT, previously unknown and undetected. This variant shares similarities with the Windows samples described by ESET. DinodasRAT primarily aims to gain and maintain access through Linux servers, focusing on hardware-specific information rather than user data for infection management. This backdoor provides full control over compromised machines, facilitating data exfiltration and espionage.

Best Practices for Defending Against Emerging Cyber Threats

• Get a good Anti-Malware Solution
• Install a FireWall
• Never open suspicious Web Links
• Install System Updates
• Update your (Security) programs regularly
• Avoid downloading cracked software
• Be way of Phishing And Help Desk scams

‍