The Linux version of DinodasRAT is aimed at users worldwide.

Researchers from Kaspersky have warned about the existence of a variant of the DinodasRAT Trojan for the Linux operating system. This version of the Trojan has been used to target users in China, Taiwan, Turkey, and Uzbekistan.

DinodasRAT is a multi-platform Trojan written in C++ that is capable of spying on users and stealing sensitive data from their systems.

Researchers from ESET previously discovered a Windows version of DinodasRAT, which was used in attacks on government institutions in Guyana. However, in October 2023, they found a new version of DinodasRAT for Linux, although experts believe it has been active since 2022.

In March 2024, Trend Micro researchers revealed a complex campaign carried out by a group of hackers known as Earth Krahang. The campaign is primarily focused on attacks against government organizations and has likely been active since at least the beginning of 2022. Since 2023, Earth Krahang has started using a different Trojan called XDealer, which provides more capabilities for conducting cyberattacks. Additionally, the attackers are using both a Windows version and a Linux version.

DinodasRAT Linux is primarily used for attacks on Red Hat and Ubuntu Linux distributions. After infection, the trojan creates a hidden file in the same directory as the executable file, named in the format ".[file_name].mu". The trojan establishes a persistent presence in the system by using scripts to launch SystemV or SystemD.

Sale flat in Alanya 198 163,00 $

Turkey,Alanya

2 Bedrooms

1 Bathroom

65 м²

Sale office in Ankara 285 611,00 $

Turkey,Ankara

4 Bedrooms

154 м²

Sale flat in Avsallar 112 857,00 $

Turkey,Avsallar

1 Bedroom

1 Bathroom

55 м²

Sale flat in Bahceliewler 212 041,00 $

Turkey,Bahceliewler

1 Bedroom

1 Bathroom

53 м²

Sale shop in Antalya 681 466,00 $

Turkey,Antalya

4 Bedrooms

185 м²

Sale flat in Mahmutlar 235 108,00 $

Turkey,Mahmutlar

2 Bedrooms

2 Bathrooms

63 м²

It collects information about the infected machine and sends it to the command and control server. Both the Windows and Linux versions of DinodasRAT used TCP or UDP to communicate with the server. The server's domain is pre-encrypted in the executable file.

It should be noted that the attackers do not collect information about specific users to generate the UID. The UID usually contains the infection date, the MD5 hash of the output from the dmidecode command (a detailed report on the system's built-in hardware), a randomly generated identifier, and the version of the Trojan.

The text provides a list of commands supported by the Trojan:

IDFunctionCommand
0x02DirClass Directory content list.
0x03DelDir Delete directory.
0x05UploadFileUpload a file to C2.
Stop downloading the file.
0x08DownLoadFileUpload a remote file to the system.
Stop downloading the file.
0x0EDealChgIp Change remote address C2.
Check logged-in users.
0x11EnumProcess List the running processes.
0x12StopProcessTerminate the running process.
0x13EnumService Use chkconfig and list all available services.
0x14ControlService Control of the available service. When passing argument 1 - the service will start, 0 - it will stop, and 2 - it will stop and be removed.
0x18DealExShell Execute the shell command and send its output to C2.
0x19ExecuteFile Execute the specified file path in a separate thread.
0x1ADealProxy proxies the connection to the C2 server through a remote proxy server.
0x1BStartShell Create a shell for interaction with the attacker.
0x1CReRestartShell Restart the created shell.
0x1DStopShell Stop the execution of the current shell.
0x1EWriteShell Write commands to the current shell or create a new one if necessary.
0x27DealFile Download and install the new version of the trojan.
0x28DealLocalProxy Send the message "OK".
0x2BConnectCtl Manage the type of connection.
0x2CProxyCtl Manage the type of proxy.
0x2DTrans_mode Set or get the file transfer mode (TCP/UDP).
Uninstall the trojan and remove all traces from the system.

In the Linux version of DinodasRAT, the qq_crypt library from Pidgin is used for encrypting and decrypting data. It employs the Tiny Encryption Algorithm (TEA) in CBC mode for encrypting and decrypting data.

The report concludes that the DinodasRAT Trojan does not collect user information for managing attacks, but rather gathers hardware data used to generate a UID. The main goal of DinodasRAT is to gain and maintain access to Linux-based servers while remaining undetected. The Trojan is fully functional and provides the attacker with complete control over the infected machine, allowing for data theft and espionage.

You can follow me on Twitter: @securityaffairs and on Facebook and Mastodon.

Author: Pierluigi Paganini (SecurityAffairs – hacking, Linux).