Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
Chinese Hackers Have Used DinodasRAT
Hackers are using a new version of a backdoor to target Linux servers and gain and maintain access in what appears to be an espionage campaign, warned researchers from Kaspersky.
The Russian cybersecurity company said telemetry data shows a previously unknown variant of the DinodasRAT active in China, Taiwan, Turkey and Uzbekistan – likely since 2022 or possibly 2021. Kaspersky first identified the remote access Trojan, also known as XDealer, in October. Cybersecurity firm Eset late last year spotted a Windows variant of the same RAT active in attacks against government agencies in Guyana (see: China-Linked APT Uses New Backdoor for Espionage in Guyana).
Eset with medium confidence attributed the Guyana campaign to a threat group aligned with Chinese interests. Kaspersky doesn’t attribute the Linux server variant to a particular threat actor.
Trend Micro earlier this month reported the use of a DinodasRAT custom backdoor by a China-linked actor it tracked as Earth Krahang – possibly the work of Chinese state hacking contractor iSoon. Leaked documents from the Sichuan-based private firm buttress a security researcher theory that instances of penetration tools popping up in different campaigns indicate the existence of “digital quartermasters” who outfit state-backed hackers.
The hallmark of DinodasRAT’s strategy is its victim identification and persistence mechanisms, Kaspersky said. The malware checks for two Linux versions – Red Hat and Ubuntu 16/18 – although it could also infect any distro that uses either SystemD or SystemV to initialize.
DinodasRAT instances “do not collect user information to manage infections. Instead, hardware-specific information is collected and used to generate a UID, demonstrating that DinodasRAT’s primary use case is to gain and maintain access via Linux servers rather than reconnaissance.”
The backdoor generates a unique identifier for each infected machine based on the date of infection, hardware information and backdoor version. It stores the identifier in a hidden configuration file that facilitates tracking and management of infected systems.
To maintain stealth and evade detection, DinodasRAT manipulates file access time stamps, ensuring minimal traceability and making it challenging for security analysts to detect and mitigate the threat.
The backdoor employs TCP or UDP protocols to communicate with its command-and-control server and uses a hard-coded domain addresses for that: update.centos-yum.com
. The Windows variant uses a different domain – update.microsoft-settings.com
– but resolves to the same IP address.