Summary:Kaspersky has disclosed details of a new Linux version of DinodasRAT that it discovered in early October 2023 after a publication from ESET. Also known as XDealer, the trojan is a multi-backdoor written in C++ that enables actors to surveil and harvest sensitive data from targeted systems. According to researchers, the latest Linux variant (version 10) may have started operating in 2022 and is primarily designed to target Red Hat-based distributions and Ubuntu Linux. Notably, the variant is capable of establishing persistence on infected systems by utilizing SystemV or SystemD startup scripts and by executing itself again via the parent process ID as an argument.
Security Officer Comments:DinosdasRAT has been used to target entities across the globe including China, Taiwan, Turkey, and Uzbekistan. Based on observed attacks so far, the implant seems to be commonly associated with Chinese threat actors. Just earlier this month, Trend Micro released a blog post on Chinese APT group Earth Krahang which has breached 70 organizations and targeted at least 116 entities across the globe in a campaign since early 2022. In the campaign highlighted by Trend Micro, researchers noted the use of DinosdasRAT as one of the main payloads leveraged by Earth Krahang to take control over victims’ systems and exfiltrate data. The disclosure of the Linux variant by Kaspersky indicates that actors behind the backdoor are continuously introducing updates to the malware and releasing new variants to target more systems, making it a popular tool that is increasingly leveraged by cybercriminals and APTs groups in attacks.
Suggested Corrections:Malware like DinodasRAT is typically distributed in phishing attacks, highlighting the need for organizations to employ robust security measures and train employees on how to detect such threats. Regular tabletop exercises highlighting different phishing techniques can help increase awareness and proficiency in deterring potential attacks.
DinodasRAT IOCs:
https://securelist.com/dinodasrat-linux-implant/112284/Link(s):https://securelist.com/dinodasrat-linux-implant/112284/