Uncovering the Threat: Powerful Malware Takes Aim at Linux Servers in Espionage Attack

    Linux Servers Targeted by⁣ DinodasRAT Malware for Espionage Campaign

    Reports by security researchers reveal that Red Hat and Ubuntu systems have been attacked by a Linux version of the DinodasRAT (also known as XDealer) malware. This attack, which has been in operation since 2022, is a cause for concern for users of ⁣these popular open source operating‍ systems.

    The Linux variant of‌ DinodasRAT was first tracked ‍in 2021, although it has ⁣not been publicly described. Cybersecurity company ESET reported ⁢a previous case of DinodasRAT being used in an espionage campaign targeting governmental entities, code-named ‘Operation Jacana’.

    In a more recent incident, Trend Micro reported about a Chinese APT group, referred ⁤to as ‘Earth Krahang’, which utilized XDealer ⁣to breach ‍both⁤ Windows and Linux systems of governments worldwide.

    Details of DinodasRAT

    Kaspersky researchers released a‌ report that outlined the functionalities of the Linux variant of DinodasRAT. It was discovered that once executed, the malware creates a hidden file in the directory where⁢ its binary resides. This⁤ file acts as a mutex, preventing multiple instances from running on the infected device.

    To ensure persistence, the malware sets itself up in the computer’s ​startup scripts using SystemV or SystemD.​ It also executes once more while the parent process waits, making it difficult to detect.

    Malware's execution logic
    The malware’s ‍execution logic (Kaspersky)

    The infected machine is tagged with‍ infection, hardware, and system details, and ‌this information is ​sent to the command and⁤ control (C2) server to manage⁤ the victim hosts.

    Creating the unique ID⁣ for the victim
    Creating the unique ID for the victim (Kaspersky)

    The malware communicates with the ⁣C2 server​ via ‌TCP or UDP, and it utilizes the Tiny Encryption ⁢Algorithm (TEA) ⁤in CBC mode to ensure secure data ‌exchange.

    Dinodas network packet structure
    Dinodas network packet structure (Kaspersky)

    DinodasRAT has features that ⁣allow⁢ it to monitor, control,​ and exfiltrate data from compromised systems. It has the ability to:

    • Monitor and harvest data on user activities, system configurations, and running processes.
    • Receive commands for execution from the C2, including file and directory actions, shell command execution, and updating the C2 address.
    • Enumerate, start, stop, ​and manage processes and services on the infected system.
    • Offer the attackers a remote shell for direct command⁤ or ⁤file execution in separate threats.
    • Proxy C2 communications through remote‍ servers.
    • Download new versions of the malware ​that potentially incorporate improvements and additional capabilities.
    • Uninstall itself and wipe all traces ⁢of its previous activity from the ​system.

    According to the researchers, DinodasRAT gives the attacker complete control over compromised⁤ systems. They note that the threat actor is primarily using‌ the malware to ‌gain and maintain ⁤access to targets through Linux servers.

    “The ‍backdoor ​is fully functional,⁤ giving ⁢the operator complete​ control over the infected machine and enabling data exfiltration‍ and espionage,” Kaspersky explains.

    Kaspersky does not provide⁤ details about the initial infection method, but notes that the malware has affected victims in ‍China, Taiwan,​ Turkey, and Uzbekistan ‍since October 2023.

    Latest articles

    Related articles

    Leave a reply

    Please enter your comment!
    Please enter your name here