Check Point’s threat analysis team published a report detailing a Linux version of a cross-platform backdoor named DinodasRAT, also known as XDealer, previously linked to Chinese threat actor LuoYu.
The malware was discovered while analyzing the activities of a Chinese-nexus cyber espionage group focusing on Southeast Asia, Africa, and South America. The threat actor appears to be the same group, tracked as Earth Krahang, detailed by Trend Micro researchers in March.
The Windows version of DinodasRAT was first spotted in a cyberespionage campaign targeting a governmental entity in Guyana back in October 2023. According to Check Point, the Linux version, it tracks as Linodas, more mature than the Windows variant, tailored with capabilities specifically aimed at Linux servers.
Notably, Linodas comes with a separate evasion module designed to conceal traces of malware within the system by proxying and modifying the execution of system binaries. Several findings indicate that DinodasRAT was initially based on the open-source project SimpleRemoter, a remote access tool based on Gh0st RAT, evident in shared functionalities and code overlaps, including the usage of the same zlib library version 1.2.11.
Further examination found additional snippets of open-source code, including functionality related to handling INI files and encryption methods borrowed from QQ. The earliest observed Linux version of DinodasRAT dates back to July 2021, internally numbered as v7, indicating an earlier phase of development.
The presence of different internal versions, such as v7 and v11, suggests the possibility of multiple development teams or distinct backdoors in various stages of development, communicating with the same command-and-control (C2) server. Despite potential differences in versions, both Linux and Windows variants have overlapping command IDs, enabling seamless support for similar malware functionalities across different operating systems.
Upon installation on Linux servers, DinodasRAT, often disguised as system or driver files related to NTFS, serves as a means for threat actors to establish an additional foothold within networks. The backdoor implements extensive persistence mechanisms that cover various Ubuntu and RedHat distributions, verifying the operating system version and employing multiple methods to ensure its longevity within the compromised system.
“The complexity and capabilities of Linodas highlight the continued emphasis by threat actors on targeting Linux servers both as a method for maintaining presence and as a pivot point within compromised networks,” the research team noted. “This approach likely exploits the typically lower level of security protocols and solutions usually installed on Linux boxes, allowing the attackers to extend their foothold and remain undetected for longer periods.”