Security researchers have discovered a troubling new development in the world of cyber espionage. A Linux version of the notorious DinodasRAT malware, also known as XDealer, has been targeting Red Hat and Ubuntu systems, potentially since 2022.
The specifics of the Linux variant have not been publicly disclosed, but the original version of DinodasRAT dates back to 2021. Cybersecurity firm ESET has previously observed DinodasRAT compromising Windows systems as part of an espionage campaign named ‘Operation Jacana,’ which specifically targeted government entities.
More recently, Trend Micro reported on the activities of a Chinese APT group dubbed ‘Earth Krahang,’ which utilized XDealer to breach both Windows and Linux systems belonging to governments across the globe.
According to a recent report by Kaspersky, the Linux variant of DinodasRAT demonstrates a sophisticated execution process. Upon infiltration, the malware creates a hidden file as a mutex to prevent multiple instances from running, establishes persistence using startup scripts, and communicates with a command and control server to manage victim hosts.
Capabilities of DinodasRAT include monitoring and harvesting data, executing commands from the C2 server, managing processes and services, providing a remote shell for direct command execution, proxying C2 communications, downloading new versions of the malware, and self-uninstallation to cover its tracks.
Researchers warn that the malware grants attackers complete control over compromised systems, facilitating data exfiltration and espionage. While the initial infection method remains undisclosed, Kaspersky reports that victims in China, Taiwan, Turkey, and Uzbekistan have been affected by DinodasRAT since October 2023.
In light of these developments, it is crucial for organizations and individuals to remain vigilant and prioritize cybersecurity measures to mitigate the risks posed by sophisticated malware like DinodasRAT.
