Through the Back Door

Since the beginning of the year, security researchers from Check Point Research (CPR) have been investigating the activities of a Chinese cyber espionage threat actor focused on Southeast Asia, Africa, and South America. The toolkit for this threat actor includes the DinodasRAT [1] cross-platform backdoor, also known as XDealer, which was previously observed in attacks by the Chinese group known as LuoYu.

This article provides technical analysis of the Linux version (v11) of DinodasRAT, aka Linodas. The Linux edition appears to be more sophisticated than the Windows version and has a range of features specially tailored to Linux servers. In addition, the version under investigation introduces a separate bypass module to hide traces of malware in the system. The execution of the system binary files is modified by proxies.

Dinodas Origins

Several clues indicate DinodasRAT was originally based on the SimpleRemote [2] open source project. SimpleRemote is a remote access tool based on the Windows remote access trojan Gh0st RAT [3], but it has some additional improvements. Similarities between SimpleRemote and an older version of DinodasRAT include the use of the same Zlib library (version 1.2.11) and some overlaps in the code (Figure 1).

The developers of DinodasRAT rehashed parts of the source code and added some additional open source code from another repository. This code includes functions for handling INI files. DinodasRAT uses encryption used in QQ Messenger.

Independent Code Base