Kaspersky has uncovered a new Linux-targeted DinodasRAT backdoor variant, actively compromising organisations in China, Taiwan, Turkiye, and Uzbekistan since at least October 2023. This variant allows cybercriminals to covertly monitor and control compromised systems, highlighting that even Linux’s renowned security is not impervious to threats.
Discovered during ongoing investigations into suspicious activities, this variant shares code and network indicators with the Windows version previously identified by ESET.
This Linux variant, developed in C++, is designed to infiltrate Linux infrastructures undetected, demonstrating cybercriminals’ advanced capabilities to exploit even the most secure systems. Upon infection, the malware collects essential information from the host machine to create a unique identifier (UID) without gathering user-specific data and thereby avoiding early detection.
Once contact with the C2 server is established, the implant stores all local information regarding the victim’s ID, privilege level, and other relevant details in a hidden file named “/etc/.netc.conf”. This profile file contains the metadata collected by the backdoor at that time. This RAT empowers the malicious actor to observe and harvest sensitive data from a target’s computer, as well as take full control over the victim’s machine. The malware is programmed to automatically send the captured data every two minutes and 10 hours.
All Kaspersky products detect this Linux variant as HEUR:Backdoor.Linux.Dinodas.a.
“Half a year after ESET’s announcement regarding the Windows variant of DinodasRAT, we have uncovered a fully-functional Linux version of the malware,” says Lisandro Ubiedo, a security expert at Kaspersky’s GReAT (Global Research and Analysis Team). “This underscores the fact that cybercriminals are continuously developing their tools to evade detection and target more victims. We urge all members of the cybersecurity community to exchange knowledge about the latest findings to ensure the cyber safety of businesses.”