Since the beginning of the year, security researchers from Check Point Research (CPR) have been investigating the activities of a Chinese cyber espionage threat actor focused on Southeast Asia, Africa, and South America. The toolkit for this threat actor includes the DinodasRAT [1] cross-platform backdoor, also known as XDealer, which was previously observed in attacks by the Chinese group known as LuoYu.
This article provides technical analysis of the Linux version (v11) of DinodasRAT, aka Linodas. The Linux edition appears to be more sophisticated than the Windows version and has a range of features specially tailored to Linux servers. In addition, the version under investigation introduces a separate bypass module to hide traces of malware in the system. The execution of the system binary files is modified by proxies.
Dinodas Origins
Several clues indicate DinodasRAT was originally based on the SimpleRemote [2] open source project. SimpleRemote is a remote access tool based on the Windows remote access trojan Gh0st RAT [3], but it has some additional improvements. Similarities between SimpleRemote and an older version of DinodasRAT include the use of the same Zlib library (version 1.2.11) and some overlaps in the code (Figure 1).
The developers of DinodasRAT rehashed parts of the source code and added some additional open source code from another repository. This code includes functions for handling INI files. DinodasRAT uses encryption used in QQ Messenger.
Independent Code Base
All examples of the cross-platform DinodasRAT embed a string containing the internal version of the backdoor. Some strings reflecting the development of the backdoor appear in Table 1.
This story is from the #289/December 2024: Coding with AI edition of Linux Magazine.
Start your 7-day Magzter GOLD free trial to access thousands of curated premium stories, and 9,000+ magazines and newspapers.
Already a subscriber ? Sign In
This story is from the #289/December 2024: Coding with AI edition of Linux Magazine.
Start your 7-day Magzter GOLD free trial to access thousands of curated premium stories, and 9,000+ magazines and newspapers.
Already a subscriber? Sign In
MADDOG'S DOGHOUSE
The stakeholder approach of open source broadens the pool of who can access, influence, and benefit from information technologies.
MakerSpace
Rust, a potential successor to C/C++, claims to solve some memory safety issues while maintaining high performance. We look at Rust on embedded systems, where memory safety, concurrency, and security are equally important
In Harmony
Using the Go Interface mechanism, Mike demonstrates its practical application with a refresh program for local copies of Git repositories.
Monkey Business
Even small changes in a web page can improve the browsing experience. Your preferred web browser provides all the tools you need to inject JavaScript to adapt the page. You just need a browser with its debugging tools, some knowledge of scripting, and the browser extension Tampermonkey.
Smarter Navigation
Zoxide, a modern version of cd, lets you navigate long directory paths with less typing.
Through the Back Door
Cybercriminals are increasingly discovering Linux and adapting malware previously designed for Windows systems. We take you inside the Linux version of a famous Windows ransomware tool.
Page Pulse
Do you want to be alerted when a product is back in stock on your favorite online store? Do you want to know when a website without an RSS feed gets an update? With changedetection.io, you can stay up-to-date on website changes.
Arco Linux
ArcoLinux, an Arch derivative, offers easier installs while educating users about Arch Linux along the way.
Ghost Coder
Artificial intelligence is increasingly supporting programmers in their daily work. How effective are these tools? What are the dangers? And how can you benefit from Al-assisted development today?
Zack's Kernel News
Chronicler Zack Brown reports on the latest news, views, dilemmas, and developments within the Linux kernel community.
