The Linux version of the multi-platform backdoor is called dinosaur rat Kaspersky’s latest findings show that the virus has been found in the wild targeting China, Taiwan, Turkey and Uzbekistan.
DinodasRAT, also known as XDealer, is a C++-based malware capable of obtaining various sensitive data from infected hosts.
In October 2023, Slovak cybersecurity company ESET revealed that government entities in Guyana had been targeted by a cyber espionage campaign called “Operation Water Pheasant” to deploy a Windows version of the implant.
Last week, Trend Micro detailed a cluster of threat activity it’s tracking called Earth Krahang, which since 2023 has turned to using DinodasRAT to target multiple government entities around the world.
The use of DinodasRAT has been attributed to multiple China-linked threat actors, including Luo Yu, again reflecting widespread tool-sharing among groups of hackers believed to be acting on behalf of the state.
Kaspersky said it discovered the Linux version (V10) of the malware in early October 2023. Evidence collected so far suggests that the first known variant (V7) dates back to 2021.
It mainly targets Red Hat based distributions and Ubuntu Linux. After execution, it establishes persistence on the host by using SystemV or SystemD startup scripts, and periodically contacts the remote server via TCP or UDP to obtain commands to be executed.
DinodasRAT can perform file operations, change command and control (C2) addresses, enumerate and terminate running processes, execute shell commands, download new versions of the backdoor, and even uninstall itself.
It also takes steps to evade detection through debugging and monitoring tools, and like its Windows counterpart, utilizes the Tiny Encryption Algorithm (TEA) to encrypt C2 communications.
“The main purpose of DinodasRAT is to gain and maintain access to Linux servers, rather than for reconnaissance,” Kaspersky said. “The backdoor is fully functional and allows the operator to fully control the infected machine, allowing for data exfiltration. and espionage.”
