Operation Jacana Reveals DinodasRAT Custom Backdoor

  /     /     /  
Publicated : 23/11/2024   Category : security


Operation Jacana Reveals DinodasRAT Custom Backdoor


The previously undocumented data exfiltration malware was part of a successful cyber-espionage campaign against the Guyanese government, likely by the Chinese.



A fresh malware threat dubbed DinodasRAT has been uncovered, after being used in a targeted cyber-espionage campaign against a governmental entity in Guyana.
The campaign, which ESET calls Operation Jacana after water birds that are native to the South American country, could be linked to (unnamed)
Chinese state-sponsored cyberattackers
, researchers noted.
The campaign started with targeted spear-phishing emails that referenced recent Guyanese public and political affairs. Once in, the attackers moved laterally throughout the internal network; DinodasRAT was then used to exfiltrate files, manipulate Windows registry keys, and execute commands, according to
ESETs Thursday analysis of the Jacana operation
.
The malware got its name based on the use of Din at the beginning of each of the victim identifiers it sends to the attackers, and that strings similarity to the name of the diminutive hobbit Dinodas Brandybuck from
The Lord of the Rings
. Perhaps related: DinodasRAT uses the Tiny encryption algorithm to lock away its communications and exfiltration activities from prying eyes.
ESET attributes the campaign and the custom RAT to a Chinese advanced persistent threat (APT) with medium confidence, based in particular on the attacks use of the
Korplug RAT (aka PlugX)
— a favorite tool of
China-aligned cyberthreat groups like Mustang Panda
.
The attack could be in retaliation for recent hiccups in Guyana–China diplomatic relations, according to ESET, such as Guyanas arrest of three people in a money-laundering investigation involving Chinese companies. Those allegations were disputed by the local Chinese embassy.
Interestingly, one lure mentioned a Guyanese fugitive in Vietnam, and served malware from a legitimate domain ending with gov.vn.
This domain indicates a Vietnamese governmental website; thus, we believe that the operators were able to compromise a Vietnamese governmental entity and use its infrastructure to host malware samples, said ESET researcher Fernando Tavella in the report — again suggesting that the activity is the work of a more sophisticated player.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Operation Jacana Reveals DinodasRAT Custom Backdoor