Guyana Governmental Entity Hit by DinodasRAT in Cyber Espionage Attack

Cyber Security

Oct 05, 2023NewsroomCyber Espionage / Cyber Threat

A governmental entity in Guyana has been targeted as part of a cyber espionage campaign dubbed Operation Jacana.

The activity, which was detected by ESET in February 2023, entailed a spear-phishing attack that led to the deployment of a hitherto undocumented implant written in C++ called DinodasRAT.

The Slovak cybersecurity firm said it could link the intrusion to a known threat actor or group, but attributed with medium confidence to a China-nexus adversary owing to the use of PlugX (aka Korplug), a remote access trojan common to Chinese hacking crews.

“This campaign was targeted, as the threat actors crafted their emails specifically to entice their chosen victim organization,” ESET said in a report shared with The Hacker News.

“After successfully compromising an initial but limited set of machines with DinodasRAT, the operators proceeded to move inside and breach the target’s internal network, where they again deployed this backdoor.”

The infection sequence commenced with a phishing email containing a booby-trapped link with subject lines referencing an alleged news report about a Guyanese fugitive in Vietnam.

Should a recipient click on the link, a ZIP archive file is downloaded from the domain fta.moit.gov[.]vn, indicating a compromise of a Vietnamese governmental website to host the payload.

Embedded within the ZIP archive is an executable that launches the DinodasRAT malware to collect sensitive information from a victim’s computer.

DinodasRAT, besides encrypting the information it sends to the command-and-control (C2) server using the Tiny Encryption Algorithm (TEA), comes with capabilities to exfiltrate system metadata, files, manipulate Windows registry keys, and execute commands.

Also deployed are tools for lateral movement, Korplug, and the SoftEther VPN client, the latter of which has been put to use by another China-affiliated cluster tracked by Microsoft as Flax Typhoon.

“The attackers used a combination of previously unknown tools, such as DinodasRAT, and more traditional backdoors such as Korplug,” ESET researcher Fernando Tavella said.

“Based on the spear-phishing emails used to gain initial access to the victim’s network, the operators are keeping track of the geopolitical activities of their victims to increase the likelihood of their operation’s success.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Articles You May Like

Google Messages Rolls Out Merged Camera and Gallery UI, Adds Image Quality Selection in Beta: Report
Sony in ‘Early Stages’ of Developing New PS5 Gaming Handheld to Compete With Nintendo Switch: Report
Apple’s 5x Periscope Telephoto Camera Will Remain Exclusive to iPhone 17 Pro, iPhone 17 Pro Max: Report
Bitcoin rises to fresh record above $94,000 as investors watch Trump transition, ETF options
Microsoft, Meta, and DOJ Disrupt Global Cybercrime and Fraudulent Networks