In February 2023, a spearphishing campaign named Operation Jacana was discovered by ESET researchers, targeting a governmental entity in Guyana. Although a specific APT group could not be linked to the campaign, there is medium confidence that a China-aligned threat group is behind it. The attackers used a previously undocumented C++ backdoor, which ESET named DinodasRAT, to execute various malicious activities such as exfiltrating files, manipulating Windows registry keys, and executing CMD commands.
The attack began with a spearphishing email sent to the victim organization, specifically crafted to entice them. Once the victim clicked on the link in the email, a ZIP file was downloaded from a Vietnamese government website. The operators likely compromised the Vietnamese government entity to host their malware samples. After extracting the ZIP file, the victim became compromised with the DinodasRAT malware.
Upon breaching the target’s network, the attackers moved laterally using tools such as Impacket, which triggered BAT/Impacket.M and related detections in the network. The threat actors executed various commands, including creating new user accounts and manipulating files. Notably, they used the LOLBin ntdsutil.exe to dump passwords stored on a Windows server.
DinodasRAT is a remote access trojan developed in C++ with capabilities to spy on and collect sensitive information from a victim’s computer. It terminates processes, deletes files, and creates subdirectories for data collection and exfiltration. The malware takes screenshots of the victim’s machine, saves clipboard data, and sends the collected information to the command-and-control (C&C) server. The data is encrypted using the Tiny Encryption Algorithm (TEA) and base64 encoded before being sent.
TEA is a simple block cipher used by DinodasRAT for encryption and decryption. The malware utilizes three different TEA keys for different encryption scenarios. The encrypted data is further encoded with base64 before being sent to the C&C server.
As of writing, Operation Jacana has not been attributed to any known group. However, the presence of a variant of Korplug (aka PlugX), commonly used by China-aligned groups, hints at their involvement. Recent developments in Guyana–China diplomatic relations also strengthen the possibility of a China-aligned threat actor being responsible for the attack. Of note is the money laundering investigation involving Chinese companies and the Chinese economic interests in Guyana through the Belt and Road Initiative.
In conclusion, Operation Jacana is a targeted cyberespionage campaign that targeted a Guyanese governmental entity. The attackers used spearphishing emails and the DinodasRAT backdoor to gain initial access and move laterally through the victim’s network. While the specific APT group behind the campaign remains unknown, there is medium confidence that it is a China-aligned threat group. The use of a variant of Korplug and recent developments in Guyana–China relations support this hypothesis. ESET researchers continue to monitor the situation and work towards further attribution.