DinodasRAT is a powerful C++ backdoor which is also known as - XDealer. It targets several operating systems. Additionally, it allows attackers to surreptitiously monitor and retrieve sensitive information from hacked computers.

It is to be noted that a Windows form of this RAT was used in assaults against government agencies in Guyana. Later on, ESET researchers carefully investigated and termed Operation Jacana.

Following ESET's investigation in early October 2023, a previously undiscovered Linux variant of DinodasRAT was discovered.

Indications show that the perpetrators' version, branded V10, has been active since 2022.

However, the earliest discovered Linux variation, V7, is from 2021. And, the matter of surprise is that it has not been made public. This paper dives into the technical details of a Linux implant used by attackers.

Infection And Persistence Mechanisms

The DinodasRAT Linux implant mostly affects Red Hat and Ubuntu systems. When executed, it creates a secret mutex file to prevent additional instances from executing.

The backdoor achieves persistence through - direct execution, SystemV, or SystemD startup scripts.  It runs itself with the parent process ID as an input, which complicates detection.

Victim Identification And Persistence

The RAT collects system information and infection time to generate a unique identity (UID). The main purpose of generating the ID for the victim's workstation is to exclude user-specific data.

This UID includes the infection date and an MD5 hash of the system's hardware report. It also involves - a random number and the backdoor version.

The UID and other pertinent information are kept in a secret file named "/etc/.netc.conf.” In such a scenario, the RAT is used to keep track of the backdoor's profile.

Stealth And Service Manager Utilization

DinodasRAT uses tactics to evade updating files, and access timings. It relies on Systemd and SystemV service managers. The main purpose of doing so is to maintain its presence on compromised computers.
 

It enables you to detect the Linux distribution and install the necessary init scripts. Further, you can choose to launch the backdoor after network configuration.

Command And Control (C2) Communication

The Linux variation connects with its C2 server via TCP or UDP.  For this,  the domain is hard-coded in the program.

The RAT has a customizable timed interval. It allows you to transmit information back to the C2.  In case, the user is root, communication will surely occur immediately.

It uses a standardized network packet format. Apart from this, it also recognizes a variety of instructions to manage the infected system.

The Linux model uses the same encryption mechanisms as the Windows version. It is named after Pidgin's libqq qq_crypt library functions. Moreover, it is also prominent as the Tiny Encryption Algorithm (TEA) in CBC mode.

The point to be noted is that it uses the Windows version's encryption keys for C2 and name encryption.

The infrastructure employed by DinodasRAT's Linux versions was operational during the research. And it had a single IP address that was supportive of both Windows and Linux C2 domains.

China, Taiwan, Turkey, and Uzbekistan are among the countries worst hit. An interesting thing is that Kaspersky products identify this Linux version as HEUR:Backdoor.Linux.Dinodas.a.

The finding of the Linux edition of DinodasRAT demonstrates the threat actors' capacity to attack Linux infrastructure. Unlike the Windows-focused Operation Jacana, the Linux version does not prioritize user data for infection management. Instead, it generates UIDs based on hardware-specific information and highlights the need to retain access to Linux servers.