Linux Version of DinodasRAT Spotted in Cyber Attacks Across Several Countries

In a recent discovery by Kaspersky, a Linux version of the notorious DinodasRAT, also known as XDealer, has been identified in cyber attacks across multiple countries. This C++-based malware is designed to extract a wide array of sensitive data from compromised hosts, with a primary focus on Red Hat-based distributions and Ubuntu Linux.

Discovery of Linux Version

Kaspersky’s research team unearthed the Linux variant of DinodasRAT (V10) in early October 2023, marking a significant evolution from the initial variant (V7) that emerged in 2021.

A depiction of a cyber attack on a Linux system

Targeted Countries

The malware has been detected in cyber attacks spanning China, Taiwan, Turkey, and Uzbekistan, indicating a widespread and coordinated effort by threat actors to exploit vulnerabilities in these regions.

Capabilities

DinodasRAT boasts a range of capabilities, including file operations, manipulation of command-and-control (C2) addresses, process enumeration and termination, shell command execution, backdoor version updates, and self-uninstallation.

Evasion Techniques

To avoid detection, the malware employs sophisticated evasion techniques such as anti-debugging measures and leveraging the Tiny Encryption Algorithm (TEA) to encrypt C2 communications, making it challenging for security tools to intercept.

Use Case

Unlike traditional reconnaissance-focused malware, DinodasRAT is primarily utilized to establish and sustain access through Linux servers, highlighting the threat it poses to critical infrastructure and sensitive data.

Threat Actors

Attributed to various China-nexus threat actors, particularly the notorious group LuoYu, DinodasRAT’s origins and operations are closely tied to cyber activities originating from this region.

For more insights and updates on cybersecurity threats, follow our publication on Twitter and LinkedIn.