A new malware threat known as “DinodasRAT” has been uncovered in a targeted cyber-espionage campaign against a governmental entity in Guyana. This operation, referred to as “Operation Jacana” by ESET researchers, is believed to be the work of Chinese state-sponsored cyberattackers.
The campaign began with spear-phishing emails that discussed recent public and political affairs in Guyana. Once the attackers gained access to the network, they moved laterally within it. DinodasRAT, a remote access trojan, was then utilized to exfiltrate files, manipulate Windows registry keys, and execute commands, according to ESET’s analysis of the operation.
The name “DinodasRAT” is derived from the use of “Din” in each of the victim identifiers that are sent to the attackers. This string is reminiscent of the name Dinodas Brandybuck, a hobbit character from J.R.R. Tolkien’s “The Lord of the Rings.” Interestingly, DinodasRAT employs the Tiny encryption algorithm to conceal its communications and exfiltration activities.
ESET researchers have attributed the campaign and the custom RAT to a Chinese advanced persistent threat (APT) with medium confidence. This conclusion is based in part on the utilization of the Korplug RAT, also known as PlugX, which is favored by China-aligned cyberthreat groups like Mustang Panda.
It is believed that the attack may be a response to recent tensions in Guyana-China diplomatic relations. For instance, Guyana’s arrest of three individuals as part of a money-laundering investigation involving Chinese companies may have provoked the cyberattack. However, the Chinese embassy in Guyana has disputed these allegations.
One particular lure used in the campaign mentioned a “Guyanese fugitive in Vietnam” and delivered malware from a legitimate domain with a gov.vn ending. ESET researcher Fernando Tavella suggests that this indicates the operators were able to compromise a Vietnamese governmental entity and leverage its infrastructure to host malware samples. This level of sophistication further supports the theory that the attack is the work of a highly skilled actor.
The emergence of DinodasRAT and its use in Operation Jacana highlights the ongoing threat posed by state-sponsored cyberattacks. In recent years, countries like China have been implicated in numerous cyber-espionage campaigns targeting governmental entities and organizations around the world. As cyber threats continue to evolve, it is crucial for governments and organizations to remain vigilant and employ robust cybersecurity measures to protect their sensitive information.
To stay informed about the latest cybersecurity threats, vulnerabilities, data breaches, and emerging trends, individuals can sign up for daily or weekly updates delivered to their email inboxes. By staying informed, individuals and organizations can take proactive steps to mitigate the risk of cyberattacks and protect their digital assets.