Anatomy of a Linux backdoor attack

Through the Back Door

© Photo by David Szweduik on Unsplash

© Photo by David Szweduik on Unsplash

Article from Issue 289/2024
Author(s):

Cybercriminals are increasingly discovering Linux and adapting malware previously designed for Windows systems. We take you inside the Linux version of a famous Windows ransomware tool.

Since the beginning of the year, security researchers from Check Point Research (CPR) have been investigating the activities of a Chinese cyber espionage threat actor focused on Southeast Asia, Africa, and South America. The toolkit for this threat actor includes the DinodasRAT [1] cross-platform backdoor, also known as XDealer, which was previously observed in attacks by the Chinese group known as LuoYu.

This article provides technical analysis of the Linux version (v11) of DinodasRAT, aka Linodas. The Linux edition appears to be more sophisticated than the Windows version and has a range of features specially tailored to Linux servers. In addition, the version under investigation introduces a separate bypass module to hide traces of malware in the system. The execution of the system binary files is modified by proxies.

Dinodas Origins

Several clues indicate DinodasRAT was originally based on the SimpleRemote [2] open source project. SimpleRemote is a remote access tool based on the Windows remote access trojan Gh0st RAT [3], but it has some additional improvements. Similarities between SimpleRemote and an older version of DinodasRAT include the use of the same Zlib library (version 1.2.11) and some overlaps in the code (Figure 1).

[...]

Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Backdoors

    Backdoors give attackers unrestricted access to a zombie system. If you plan to stop the bad guys from settling in, you’ll be interested in this analysis of the tools they might use for building a private entrance.

  • News

    In the news: Linux Mint 20.3 Now Available; Linux Gets an Exciting New Firmware Feature; elementary OS 6.1 Has Been Released; Intel Releases Linux Patch for Alder Lake Thread Director; New Multiplatform Backdoor Malware Targets Linux, macOS, and Windows; and WhiteSource Releases Free Log4j Detection Tool.

  • ESET Discovers New Linux Malware

    WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.

  • Honeynet

    Security-conscious admins can use a honeynet to monitor, log, and analyze intrusion techniques.

  • SpeakUp Trojan Targets Linux Servers

    It’s exploiting a known vulnerability.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News