Multi-Platform Threat: DinodasRAT Backdoor Lands on Linux

Specialists at Kaspersky Lab have identified a Linux version of the multi-platform backdoor DinodasRAT (XDealer), targeting China, Taiwan, Turkey, and Uzbekistan. This Remote Access Trojan, crafted in C++, is adept at extracting a broad spectrum of confidential information from compromised systems.

The Windows variant was deployed in attacks against the government institutions of Guyana during Operation Jacana last year. The Linux version of DinodasRAT (V10) was uncovered in early October 2023. The earliest known iteration (V7) dates back to 2021, primarily targeting distributions based on Red Hat and Ubuntu Linux. Upon activation, the malware establishes a persistent presence on the host, leveraging SystemV or SystemD startup scripts, and intermittently connects to a remote server via TCP or UDP to receive commands.

DinodasRAT is capable of file operations, modifying control, and command addresses, enumerating and terminating processes, executing shell commands, downloading new versions of the backdoor, and even self-deletion. Additionally, measures are taken to evade detection by debugging and monitoring tools, while communication with the control server is encrypted using the Tiny Encryption Algorithm (TEA), as in the Windows variant.

The principal objective of DinodasRAT is to secure and maintain access through Linux servers, rather than reconnaissance. The backdoor grants operators complete control over the infected machine, enabling data exfiltration and espionage, as concluded by the experts.