DinodasRAT, a C++-based malware, has emerged as a serious threat to Linux users. Initially discovered targeting Windows systems, researchers have recently reported a Linux variant of this multi-platform backdoor actively deployed in cyberattacks. This article explores the capabilities of DinodasRAT (also known as XDealer) and the dangers it poses to Linux servers.

Recent findings from Kaspersky shed light on the spread of DinodasRAT, with targets spanning regions including China, Taiwan, Turkey, and Uzbekistan. This malware allows attackers to extract a wide range of sensitive data from compromised hosts, making it a formidable adversary in the realm of cyber espionage.

Linux Variant Observed in Attacks

Kaspersky identified the first Linux version of DinodasRAT (V10) in October 2023. However, further research suggests the first known variant (V7) appeared in July 2021. Check Point later discovered a more advanced version (V11) in November 2023. This variant primarily targets Red Hat-based distributions and Ubuntu Linux.

A report by Trend Micro linked a Chinese APT (Advanced Persistent Threat) group, “Earth Krahang,” to the use of DinodasRAT. The group reportedly employed XDealer to breach government systems running on both Windows and Linux platforms.

Functionality and Impact

DinodasRAT establishes persistence on infected systems with the help of SystemV or SystemD startup scripts and communicates with remote servers to receive commands. It boasts a range of malicious capabilities, including:

• File manipulation
• Updating C2 server addresses
• Enumerating and terminating running processes
• Executing shell commands
• Downloading new versions of itself
• Self-uninstallation

DinodasRAT also employs various techniques to evade detection by debugging and monitoring tools and encrypt communication with the C2 server using the Tiny Encryption Algorithm (TEA). Kaspersky emphasizes that its primary function is to grant attackers complete control over compromised Linux servers. This enables them to exfiltrate data and conduct espionage activities.

Protecting Yourself

The lower security protocols employed on Linux systems make them vulnerable entry points for attackers. By following the security best practices, you can significantly reduce the risk of falling victim to DinodasRAT and other Linux-targeting malware. These include keeping your Linux systems up-to-date with the latest security patches, regularly monitoring system activity for unusual behavior, and implementing robust security solutions to detect and prevent malicious activities.

Conclusion

The emergence of a Linux variant of DinodasRAT highlights the growing focus of cybercriminals on targeting Linux servers. As threat actors continue to find new tactics, organizations require a modern patching approach for Linux security. One of the effective strategies is live patching.

TuxCare’s KernelCare Enterprise offers live patching services for all major Linux distributions, including Ubuntu, Debian, RHEL, CentOS, Rocky Linux, AlmaLinux, Oracle Linux, CloudLinux, and more. It enables you to deploy security updates automatically without needing to reboot the system.

Send patching-related questions to a TuxCare security expert to learn more about Linux live patching strategy.

The sources for this article include a story from TheHackerNews.

The post DinodasRAT Malware: A Multi-Platform Backdoor Targeting Linux appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Rohan Timalsina. Read the original post at: https://tuxcare.com/blog/dinodasrat-malware-a-multi-platform-backdoor-targeting-linux/